PENTEST REPORT - WordPress.com Pentest Report CLASSIFICATION : PUBLIC / TLP : WHITE Page 1 of 20 c 1. Executive Summary TheHive1 is a free and open-source security incident response

©RANDORISEC-2017 Version1.0–March28,2017c

PENTESTREPORT

TLP:WHITEThis report is classified TLP:WHITE. TLP:WHITE is information that is for public, unrestricteddissemination,publication,web-postingorbroadcast.AnymemberoftheInformationExchangemaypublishtheinformation,subjecttocopyright.

TheHivePentestReport

CLASSIFICATION:PUBLIC/TLP:WHITE Page1of20c

1.ExecutiveSummaryTheHive1isafreeandopen-sourcesecurityincidentresponseplatform.ItreliesonCortex2toanalyze

observables(IP,emailaddresses,domainnames,etc…).Bothtoolsweredesignedanddevelopedby

TheHiveProject3.

Apenetrationtest,whichfollowedtheWAHH4methodology,wasperformedbyRANDORISECtoassess

thesecurityleveloftheplatform.WetestedTheHiveBuckfast0(version2.10.0)andCortexversion

1.0.0.

PositivePoints

Wewere unable to access theweb application anonymously.Wewere also unable to elevate our

privilegeswithoutresortingtosocialengineeringtricks.

NegativePoints

Wehaveidentifiedacriticalvulnerability(StoredCross-SiteScripting)alongwithafewlesscriticalones

(ReflectedCross-SiteScripting,Verticalprivilegeescalation,Concurrentsessionallowed,Noaccount

lockoutpolicy,Nopasswordpolicy,InformationleakageandCross-SiteRequestForgery).

Byexploitingthesevulnerabilities,anattackercouldtrickusersintoexecutingmaliciouscodeintheir

browsersand/or computersor try tobrute-force theauthenticationmechanism.This could lead to

illegitimate access or privilege escalation. The only critical vulnerability we found does not come

directly fromTheHive codebut fromadependency.Thedevelopershavebeenmadeawareof the

vulnerabilitiespriortothepublicationofthisreportaccordingtotheresponsibledisclosurepolicy5.

TheyassuredRANDORISEC thatmost if not all vulnerabilitieswouldbe fixed inBuckfast 2 (version

2.10.2),dueinApril2017.

Wealsofoundsomelowseverityvulnerabilities.Theyaremainlylocatedintheaccesspart(session

handlingandauthentication)andshouldnotbeverychallengingtofix.

1https://github.com/CERT-BDF/TheHive2https://github.com/CERT-BDF/Cortex3https://thehive-project.org/4WebApplicationHacker’sHandbook.5https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642



Content1.ExecutiveSummary_______________________________________________________________ 11.Introduction ____________________________________________________________________ 32.Vulnerabilities___________________________________________________________________ 53.Recommendations _______________________________________________________________ 74.Detailedfindings_________________________________________________________________ 95.Appendices____________________________________________________________________ 18



1. Introduction1.1. TestPeriodandDurationThepentestwasperformedin4man-daysspanningseveralweeksstartingfromFebruary9,2017and

endingonMarch21,2017.

1.2. CreditsRANDORISECandDavyDouhine,thecompany’sCEO,wouldliketothankthefollowingprofessionals,

listedinalphabeticalorder,fortheirhelpperformingthepentestdescribedinthisreport:

- FrédéricCikala

- NicolasMattiocco

- FlorentMontel

- MohamedMrabah

- MaximilanoSoler

ImportantNote

RANDORISECandthepentestingprofessionalsthatjoineditforthispentesthavenocontractwith

TheHive Project and did not receive any compensation of any sort to perform this pentest.

RANDORISECandthepentestingprofessionalslistedaboveperformedthisworkontheirfreetime

asawaytocontributetothesecurityofFree,OpenSourceSoftwareprojects.

1.3. PerimeterandMethodology

1.3.1. Target

TheHive and Cortex applications were installed using the public Docker versions, following the

instructionsprovidedatthefollowinglocation:

https://github.com/CERT-BDF/TheHive/wiki/Docker-guide---TheHive-Cortex

WeperformedourtestsonTheHiveBuckfast0(version2.10.0)andonCortex1.0.0:



1.3.2. Restric@ons

Norestrictionsweremade.

1.3.3. Testcases

Asthemissionwetookuponourselveswasapentestandnotanaudit,thisreportcontainsonlythe

vulnerabilities that were found. However, all the main areas that were checked are listed in the

appendicesattheendofthisdocument.

1.4. ConfidentialityThisreportanditsappendicesareclassifiedTLP:WHITEaccordingtoTrustedIntroducer’sISTLPv1.16.

6https://www.trusted-introducer.org/ISTLPv11.pdf



2. Vulnerabilities

Severitylevelsresultfromthecombinationoftheirimpactwiththeirprobabilityofoccurrence,whichisquantifiedaccordingtothefollowingscale:Low(L)–yellow/Medium(M)–orange/High(H)–red.Note:Onlyprovenorveryplausiblevulnerabilitiesarelisted.Whenthetestswerenotabletohighlightsignificantsecurityholes,thosewillnotbementioned(unlessthetestwasexplicitlypartoftherequest).

Ref. Title Target(s) Description Risk(s) Severitylevel

AP.1 StoredXSS

TheHiveMaliciousJavaScriptcodecanbeinjected.Itwillbethenexecutedonthevictim’sbrowser. Userimpersonation H

AP.2 ReflectedXSS

TheHiveCortex

MaliciousJavaScriptcodecanbeinjected.Itwillbethenexecutedonthevictim’sbrowser. Userimpersonation L

AP.3 Vertical privilegeescalation

TheHive Anauthenticatedsimpleusercanhaveaccesstosomeadminmenus. Facilitatessessionusurpation L

AP.4 Concurrent sessionsallowed

TheHive Concurrentsessionsareallowedforasingleuser. Facilitatessessionusurpation L

AP.5 No account lockoutpolicy

TheHive Authenticationsystemcanbebrute-forced. Facilitatesuser

impersonation L

AP.6 Nopasswordpolicy

TheHiveAsnopasswordpolicyisenforcedwhenusingthelocaldatabaseforstoring user credentials, users can set weak passwords (e.g.:containingonlyonecharacter).

Facilitatesuserimpersonation L



Ref. Title Target(s) Description Risk(s) Severitylevel

AP.7 Informationleakage

TheHiveInformation such as installed software versions (TheHive,ElasticSearch)ispublicallyavailable. Sensitiveinfoleak L

AP.8 CSRF

TheHiveAs no anti-CSRF tokens are used, TheHive is vulnerable to CSRFattacks. Illegitimateaccess L



3. RecommendationsAc

tion

Ref.

Severity Target(s) ImprovementSuggestions Difficulty

1 AP.1AP.2

H TheHiveCortex

Ifpossible,useawhitelistattheapplicationlevelbydefiningtheexpectedcharactersratherthanrefusingthedangerousones.Ifthat’snotapossibility,theapplicationshouldfiltermeta-charactersfromuserinput.Whenperforminginputvalidation,considerallpotentiallyrelevantproperties,includinglength,typeof input,thefullrangeofacceptablevalues,missingorextra inputs,syntax,andconsistencyacrossrelatedfields,andconformancetobusinessrules.

3

2 AP.3 L TheHive Denyaccesstoadminpagestonon-adminusers. 2

3 AP.4 L TheHive Onlyallowonesessionperuseratanygiventime. 2

4 AP.5 L TheHive Enforceanaccountlockoutpolicy. 2

5 AP.6 L TheHive Implement a password policy or use LDAP or AD authentication and ensure your LDAP/APenforcesapasswordpolicy.

2



Actio

n

Ref.

Severity Target(s) ImprovementSuggestions Difficulty

6 AP.7 L TheHive Denyaccesstopotentiallysensitiveinformationtoanonymous,non-authenticatedusers. 2

7 AP.8 L TheHive Implementanti-CSRFtokens. 2



4. Detailedfindings

4.1. AP.1-StoredXSSTheHiveisvulnerabletotwoHTMLandJavaScriptstoredinjectionsalsoknownasStoredCross-SiteScripting vulnerabilities. They could be used by authenticated users to elevate their privilege byhijackinganadmin’ssessionforexample.ThevulnerabilitiesarelocatedintheObservablesfunctionalityandintheObservablemanagement.Thefollowingscreenshotshowsthatthecodewillbeexecutedonthevictim’sbrowser:

1. FirstStoredXSS:Observables

Attackscenario:Anauthenticateduserwithwriteaccess(asdefinedintheusermanagementpage)createsanobservableonacaseandputsamaliciousJavaScriptpayloadasavalueoftheobservable:



TheJavaScriptpayloadusedtotestthisvulnerabilityis:<script>alert(/XSS/)</script>

Theobservableitemiscreated:

Then,ifauserthatcanaccessthecaselaunchesoneormanyanalyzers(forexamplebyclickingontheRunallanalyzerslink)onthisobservable:

Thepayloadwillbetriggered:

2. SecondStoredXSS:Observablesmanagement

Attackscenario:Anauthenticateduserwithadminaccess(asdefinedintheusermanagementpage)createsanewobservabledatatypeandputsamaliciousJavaScriptpayloadasthevalueofthedatatype:

TheJavaScriptpayloadusedtotestthisvulnerabilityis:



"><svg onload=confirm(/XSSagain/)>

Thenewobservabledatatypeiscreated:

Ifanotheradminusertriestodeletethisnewdatatype,thepayloadwillbetriggered:

TheresponsepageshowstheJavaScriptpayload:

Thenthedatatypewillbedeleted.Thisparticularbehaviorof“One-shotStoredXSS”isquiteinterestingasitcouldbeusedtoattackadmininstratorswithoutleavingevidence.Howeverthepre-requisitestoexploitit(adminaccesstoTheHive)lowertheriskofanexploitationusingthisparticularattackvector.Therootofthevulnerabilitycomesfromtheangular-ui-notificationlibrarywhichseemstotrustinputsasHTML:https://github.com/alexcrack/angular-ui-notificationAnissuehasbeenopenedonGitHub:https://github.com/alexcrack/angular-ui-notification/issues/86

Targets Risk(s) Recommendation SeverityTheHive Userimpersonation If possible, use awhite list at the

application level by defining theexpected characters rather thanrefusingthedangerousones.If that’s not a possibility, theapplication should filter meta-characters fromuser input.When

High



performing input validation,consider all potentially relevantproperties, including length, typeof input, the full range ofacceptablevalues,missingorextrainputs, syntax, and consistencyacross related fields, andconformancetobusinessrules.

4.2. AP.2-ReflectedXSSTheHiveandCortexarevulnerabletomanyHTMLandJavaScriptstored injectionsalsoknownasReflectedCross-SiteScriptingvulnerabilities.Theycouldbeusedbyauthenticateduserstoelevatetheir privileges by hijacking an admin’s session or by anonymous users to impersonate anauthenticateduser’ssessionforexample.Thevulnerabilitiesare located in thenewanalysis functionality forCortexand in thehandlingoferrormessagesatTheHive’slevel.HoweverthelatestisveryunlikelyasitneedsInternetExplorer11withcompatibilitymodeenabled.

1. ReflectedXSSinCortex

Attackscenario:AuserwithaccesstoCortex7startsanewanalysisandputamaliciousJavaScriptpayloadintheDatafield:

7PleasenotethatCortexdoesnotuseanykindofauthenticationandmustnotexposedonpublicnetworks.



TheJavaScriptpayloadusedtovalidatethevulnerabilityis:<script>alert(/XSS/)</script>

Thefollowingscreenshotshowsthatthecodeisexecuted:

AnexcerptoftheresponsepageshowingtheJavaScriptpayloadisshownbelow:

2. ReflectedXSSinTheHiveAttackscenario:

An anonymous user sends a link containing a JavaScript payload (or a link to it) like thefollowing:http://1.1.1.8:8080/api/login?<script>alert("TheHive_vulnerable_to_XSS_;)")</script>

Ifopened,thecodeisexecuted:



However, the responsepagestates that thecontent isnotHTML (but“text/plain”) soanexploitationusingthisattackvectorisveryunlikelyasthevictimhastorunanoldversionofInternetExplorerorInternetExplorer11withcompatibilitymodeenabled.

Rootofthevulnerabilitycomesfromtheangular-ui-notificationlibrarywhichseemstotrustinputsasHTML:https://github.com/alexcrack/angular-ui-notification

AnissuehasbeenopenedonGitHub:https://github.com/alexcrack/angular-ui-notification/issues/86

Targets Risk(s) Recommendation SeverityTheHive

Cortex

Userimpersonation If possible, use a white list at theapplication level by defining theexpected characters rather thanrefusingthedangerousones.Ifthat’snotapossibility,theapplicationshouldfiltermeta-charactersfromuserinput. When performing inputvalidation, consider all potentiallyrelevant properties, including length,type of input, the full range ofacceptable values, missing or extrainputs, syntax, and consistency acrossrelated fields, and conformance tobusinessrules.

Low

4.3. AP3-VerticalprivilegeescalationAnauthenticateduserwithread-onlyaccesscanuseadminfunctionalityandlistuserscreatedinthe

database.

Hereisascreenshotofarequest,askingtolisttheusers,andtheresponse:



Theusedrequestis:

POST /api/user/_search?range=0-10 HTTP/1.1 Host: thehive.randorisec.fr:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: application/json, text/plain, */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Referer: http://thehive.randorisec.fr:8080/index.html Content-Type: application/json;charset=utf-8 Content-Length: 22 Cookie: PLAY_SESSION=6b5415864c48577fc69186629e5bcf1f7b40b57c-username=maxi2&expire=1489027489081 Connection: close {"query":{"_any":"*"}}

Amalicioususercouldusethistolisttheotherusersandthentrytodiscovertheirpasswords.

Targets Risk(s) Recommendation SeverityTheHive Facilitates

sessionusurpation

Deny access to admin pages to non-adminusers. Low

4.4. AP.4-ConcurrentsessionsallowedConcurrentsessionsareallowed.

Ifanattackerfindsawaytohijackasession,itcouldbeunnoticedbythelegitimateuser.


sessionusurpation

Onlyallowonesessionperuseratanygiventime. Low

4.5. AP.5-NoaccountlockoutpolicyAn attacker could brute-force the authentication systemwithout being stopped or even slowed

down.

Hereisascreenshotshowingabrute-forceof1000requestsagainsttheloginpage:



Withthisissueanattackercouldtrytodiscoverauser’spassword.


sessionusurpation

Enforceanaccountlockoutpolicy.Low

4.6. AP.6-NopasswordpolicyNopasswordpolicyisenforcedinTheHivewhenusingthelocaldatabaseforstoringusercredentials.

Users can thus set weak passwords (e.g.: containing only one character) when changing their

password.

Thiscouldhelpanattackerfindvalidcredentials.


sessionusurpation

Implement a password policy or useLDAPorADauthenticationandensureyour LDAP/AP enforces a passwordpolicy.

Low

4.7. AP.7-InformationleakageInformationsuchasinstalledsoftwareversions(TheHive,ElasticSearch)ispubliclyavailable.

Hereisascreenshotshowingananonymousrequestandtheresponsewiththeversioninformation:

Thiscouldhelpanattackerintheirreconnaissancephase.


sessionusurpation

Deny access to info to anonymous,non-authenticatedusers. Low



4.8. AP.8-CSRF(CrossSiteRequestForgery)Asnoanti-CSRFtokensareused,TheHiveisvulnerabletoCSRFattacks.

Hereisascreenshotshowinganauthenticatedrequest,withoutanti-CSRFtoken,senttocreatea

user:

Byusingsocialengineeringtricks(orastoredXSS)anattackercouldtrickanadmintolaunchthe

followingrequestthatwillcreateauserandgrantillegitimateaccess:

<html>

<script>

function jsonreq() {

var xmlhttp = new XMLHttpRequest();

xmlhttp.withCredentials = true;

xmlhttp.open("POST","http://thehive.randorisec.fr:8080/api/user", true);

xmlhttp.setRequestHeader("Content-Type","application/json");

xmlhttp.send('{"roles":["read","write","admin"],"login":"hacker11","name":"hacker1

1 hakcker11","password":"hacker4"}');

}

jsonreq();

</script>

</html>

However,thisbehaviorisprohibitedbymodernbrowsersandtheSame-originpolicy(SOP).

Nonetheless, this vulnerability should been taken in consideration as a loosely configured CORS

(Cross-OriginResourceSharing)policycouldincreasetheprobabilityofsuchattack.

Targets Risk(s) Recommendation SeverityTheHive Facilitates session

usurpationImplementanti-CSRFtokens.

Low



5. Appendices

5.1WAHHchecks

Reconandanalysis checked? vulnMapvisiblecontent x Discoverhidden&defaultcontent x Testfordebugparameters x Identifydataentrypoints x Identifythetechnologiesused x Maptheattacksurface x

Testhandlingofaccess checked? vulnAuthentication x Testpasswordqualityrules x #AP.6Testforusernameenumeration x Testresiliencetopasswordguessing x #AP.5Testanyaccountrecoveryfunction x Testany"rememberme"function x Testanyimpersonationfunction x Testusernameuniqueness x Checkforunsafedistributionofcredentials x Testforfail-openconditions x Testanymulti-stagemechanisms x Sessionhandling x #AP.4Testtokensformeaning x Testtokensforpredictability x Checkforinsecuretransmissionoftokens x Checkfordisclosureoftokensinlogs x Checkmappingoftokenstosessions x Checksessiontermination x Checkforsessionfixation x Checkforcross-siterequestforgery x #AP.8Checkcookiescope x

Accesscontrols x#AP.3#AP.7

Understandtheaccesscontrolrequirements x Testeffectivenessofcontrols,usingmultipleaccounts x Testforinsecureaccesscontrolmethods(Referer,etc) x



Testhandlingofinput checked? vulnFuzzallrequestparameters x TestforSQLinjection x Identifyallreflecteddata x TestforreflectedXSS x #AP.2TestforHTTPheaderinjection x Testforarbitraryredirection x Testforstoredattacks x #AP.1TestforOScommandinjection x Testforpathtraversal x Testforscriptinjection x Testforfileinclusion x TestforSMTPinjection x Testfornativesoftwareflaws(Bof,integerbugs,formatstrings) x TestforSOAPinjection x TestforLDAPinjection x TestforXPathinjection x

Testapplicationlogic checked? vulnIdentifythelogicattacksurface x Testtransmissionofdataviatheclient x Testforrelianceonclient-sideinputvalidation x Testanythick-clientcomponents(Java,ActiveX,Flash) x Testmulti-stageprocessesforlogicflaws x Testhandlingofincompleteinput x Testtrustboundaries x Testtransactionlogic x

Assessapplicationhosting checked? vulnTestsegregationinsharedinfrastructures N/A TestsegregationbetweenASP-hostedapplications N/A Testforwebservervulnerabilities N/A Defaultcredentials N/A Defaultcontent N/A DangerousHTTPmethods N/A Proxyfunctionality N/A Virtualhostingmis-configuration N/A Bugsinwebserversoftware N/A



Miscellaneoustests checked? vulnCheckforDOM-basedattacks x Checkforframeinjection x Checkforlocalprivacyvulnerabilities x Persistentcookies x Caching x SensitivedatainURLparameters x Formswithautocompleteenabled x Followupanyinformationleakage x CheckforweakSSLciphers N/A

N/A:Notapplicable

Documents

PENTEST REPORT - WordPress.com Pentest Report CLASSIFICATION : PUBLIC / TLP : WHITE Page 1 of 20 c 1. Executive Summary TheHive1 is a free and open-source security incident response