Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pentest report #38

Closed
16 tasks done
Nagarian opened this issue May 2, 2024 · 1 comment
Closed
16 tasks done

Pentest report #38

Nagarian opened this issue May 2, 2024 · 1 comment
Labels
bug Something isn't working
Milestone
2024

Comments

@Nagarian
Copy link
Contributor

Nagarian commented May 2, 2024
edited
Loading

Following the pentest done by Laluka, we have somes issues to fix for a better security improvment !
You can watch the report replay (in french) here -> https://www.youtube.com/watch?v=Z34a3QQDoa0

  • mongo-express
  • race conditions
    • Add extra member to team, no lock // yes, team of 10+
    • Flag double submit // race, but self score decrease 😄
  • proto
    • DOS whole site, create team/user/pass "proto", kills the backend
    • username == proto makes invisible user in dashboard
    • proto pollution : TypeError: Cannot read properties of undefined (reading 'proto') : statistics.teams[team].users[username].sockets++ AND [cur.team]: [...(acc[cur.team] ?? []), cur],
  • others
    • User Oracle in register
    • storing cleartext flags p1 plz bounty
    • host lpe: sudo usermod -aG docker ubuntu
    • HA: restart: always on all dockers
@Nagarian Nagarian added the bug Something isn't working label May 2, 2024
@Nagarian Nagarian added this to the 2024 milestone May 2, 2024
Nagarian added a commit that referenced this issue May 3, 2024
@Nagarian
fix: prototype pollution with username and teamname
32cfbfe 
relates: #38
Nagarian added a commit that referenced this issue May 3, 2024
@Nagarian
fix: prototype pollution with username and teamname
660c8b6 
relates: #38
@Nagarian
Copy link
Contributor Author

Nagarian commented May 4, 2024

User oracle in register will not be handle since when we can already have the list of all the users when we go into scoreboard screen

Nagarian added a commit that referenced this issue May 9, 2024
@Nagarian
fix(server): prototype pollution with username and teamname
e89d54f 
relates: #38
Nagarian added a commit that referenced this issue May 14, 2024
@Nagarian
feat(server): add lock around flag submission
e19799a 
relates: #38
Nagarian added a commit that referenced this issue May 14, 2024
@Nagarian
feat(server): protect register from race condition
f0e1857 
relates #38
Nagarian added a commit that referenced this issue May 14, 2024
@Nagarian
feat(server): add lock around flag submission
1143ef8 
relates: #38
Nagarian added a commit that referenced this issue May 14, 2024
@Nagarian
feat(server): protect register from race condition
933db4e 
relates #38
Nagarian added a commit that referenced this issue May 19, 2024
@Nagarian
fix(server): prototype pollution with username and teamname
d65709d 
relates: #38
Nagarian added a commit that referenced this issue May 19, 2024
@Nagarian
feat(server): add lock around flag submission
ae148c9 
relates: #38
Nagarian added a commit that referenced this issue May 19, 2024
@Nagarian
feat(server): protect register from race condition
5ba43ab 
relates #38
@Nagarian Nagarian mentioned this issue Jun 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2024
Development

No branches or pull requests
1 participant
@Nagarian