From 01e762029bde3402720c048ec3ffb30b768f949f Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:14:41 +0100 Subject: [PATCH 01/17] Added no lockout template --- .../no_account_lockout/recommendations.md | 5 +++++ .../no_account_lockout/template.md | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md create mode 100644 submissions/description/insufficient_security_configurability/no_account_lockout/template.md diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md b/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md new file mode 100644 index 00000000..1bbd0d96 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md @@ -0,0 +1,5 @@ +**Recommendation** + +An account lockout should be enforced to provide an extra layer of defence against brute force attacks, in addition to a strong password policy. A reasonable account lockout policy would be to lockout an account for fifteen minutes if five invalid login attempts were made within a ten-minute period, however this can be adapted depending on business requirements or the sensitivity of the application. + +It is important to ensure that the lockout is not permanent, otherwise this can be used to perform denial of service attacks against the system by purposely locking valid accounts out. \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/template.md b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md new file mode 100644 index 00000000..f9ad73e6 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md @@ -0,0 +1,11 @@ +The application was found to have no account lockout enforced, thereby potentially allowing an attacker to brute force accounts for an indefinite period. + +An account lockout is a countermeasure whereby a user account is prevented from logging in temporarily after an incorrect password is supplied a fixed number of times. The lack of account lockout makes the application particularly vulnerable to brute force attacks, which could lead to the direct compromise of users’ accounts. + +It is normally trivial to determine the difference between a successful and failed login attempt automatically. Therefore, it is possible for an attacker to write a script to continuously attempt to login with many different passwords and report on any that were successful. Without a strong password policy in place, this technique is likely to succeed. + +**Proof of Concept (PoC)** + +The following screenshot shows the use of a tool to automate the numerous login requests to the application. As visible from the response statuses, it was possible to successfully login to the application after submitting 25 consecutive invalid login requests: + +{{screnshot}} From 04c9639f6788d8208f84eabac87702e5dfc123c2 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:17:36 +0100 Subject: [PATCH 02/17] Added business impact to No Account Lockout --- .../no_account_lockout/template.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/template.md b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md index f9ad73e6..30bdc218 100644 --- a/submissions/description/insufficient_security_configurability/no_account_lockout/template.md +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md @@ -4,6 +4,10 @@ An account lockout is a countermeasure whereby a user account is prevented from It is normally trivial to determine the difference between a successful and failed login attempt automatically. Therefore, it is possible for an attacker to write a script to continuously attempt to login with many different passwords and report on any that were successful. Without a strong password policy in place, this technique is likely to succeed. +**Business Impact** + +Having no account lockout can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. + **Proof of Concept (PoC)** The following screenshot shows the use of a tool to automate the numerous login requests to the application. As visible from the response statuses, it was possible to successfully login to the application after submitting 25 consecutive invalid login requests: From b62864ae4f406de67c330c80948cdd21f8876ab1 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:26:02 +0100 Subject: [PATCH 03/17] Added Business Logic Bypass template --- .../business_logic_bypass/recommendations.md | 11 ++++++++++ .../business_logic_bypass/template.md | 20 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md create mode 100644 submissions/description/insufficient_security_configurability/business_logic_bypass/template.md diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md new file mode 100644 index 00000000..9b071330 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md @@ -0,0 +1,11 @@ +**Recommendation** + +Remediate the identified flaws within the applications design and implementation, to ensure that the intended application logic cannot be bypassed or manipulated to elicit unintended behaviours. + +Furthermore, the following key points should be taken into consideration: + +* Ensure developers and Quality Assurance testers understand the application and its intended functionality. +* Avoid making implicit assumptions about user behaviour or other parts of the application. +* Maintain clear design documents and data flows for all transactions and workflows, noting any assumptions that are made at each stage. +* Write code as clearly as possible. If it's difficult to understand what is supposed to happen, it will be difficult to spot any logic flaws. Ensure that developers and testers know what assumptions are being made and exactly what the expected behaviour is. +* Note any references to other code that uses each component. Consider any side-effects of these dependencies if a malicious party were to manipulate them in an unintended manner. \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md new file mode 100644 index 00000000..d02da53c --- /dev/null +++ b/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md @@ -0,0 +1,20 @@ +Business logic vulnerabilities occur due to logic flaws in an applications workflow, often stemming from mistaken expectations regarding user behaviour. This can lead to a condition where failure to anticipate unexpected states during the design and implementation of the application results in a malicious user being able to trigger unintended behaviour. + +An attacker may exploit this vulnerability to manipulate workflows, abuse legitimate features and functionality, or bypass traditional security controls. + +{{Describe the application logic bypass identified in the in-scope application}} + +**Business Impact** + +This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. + +**Steps to Reproduce** + +1. Step 1 +1. Step 2, with context: + ```http + POST /example HTTP/2 + Host: example.com + + {"param":"value"} + ``` \ No newline at end of file From 55bf4047c58741f01b338dc93fe59fb9e3d5ca2c Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:41:39 +0100 Subject: [PATCH 04/17] Added unpatched javascript libraries template --- .../recommendations.md | 4 +++ .../template.md | 26 +++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md create mode 100644 submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md new file mode 100644 index 00000000..386b78b0 --- /dev/null +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md @@ -0,0 +1,4 @@ + **Recommendation** + +Ensure that all JavaScript libraries and their associated components are routinely updated to the latest secure version. +Deprecated libraries should be reviewed for replacement by actively maintained alternatives. \ No newline at end of file diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md new file mode 100644 index 00000000..d67d8c14 --- /dev/null +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -0,0 +1,26 @@ +The application was found to be using outdated and unpatched JavaScript libraries. Without security updates, these libaries are vulnerable to a number of publicly disclosed vulnerabilities. + +Given their close integration with the Document Object Model (DOM), JavaScript libraries are a prime target for Cross Site Scripting (XSS) attacks. + +{{Delete if not applicable}} Additionally, further JavaScript libraries were identified that are no longer maintained. Consequently, these libraries will no longer be able to receive security updates and patches for known vulnerabilities. + +The affected software versions and related vulnerabilities have been listed below: + +{{example formatting below}} + +>**[Bootstrap v3.4.1](https://getbootstrap.com/)** +>- Bootstrap before 4.0.0 is end-of-life and no longer maintained +>- [CVE-2024-6485](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in bootstrap button component +>- [CVE-2024-6484](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in carousel component + +**Proof Of Concept (PoC)** + +Navigate to the following JavaScript library files and view the version numbers disclosed at the top of the files: + +{{direct link to source file}} +``` +* Bootstrap v3.4.1 (https://getbootstrap.com/) + * Copyright 2011-2019 Twitter, Inc. + * Licensed under the MIT license + */ +``` From 1b1b4f94dc55f1ae735478bc423d883b18276a5a Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:43:36 +0100 Subject: [PATCH 05/17] Added business impact to Unpatched Javascript Libraries template --- .../unpatched_javascript_libraries/template.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md index d67d8c14..fdfa0d41 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -13,6 +13,10 @@ The affected software versions and related vulnerabilities have been listed belo >- [CVE-2024-6485](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in bootstrap button component >- [CVE-2024-6484](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in carousel component +**Business Impact** + +Outdated Software Version can lead to reputational damage for the business due to a loss in confidence and trust by users. + **Proof Of Concept (PoC)** Navigate to the following JavaScript library files and view the version numbers disclosed at the top of the files: From f38d437dd50f20c431efbc1d16889626c8847431 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:44:46 +0100 Subject: [PATCH 06/17] Changed business impact wording in unpatched JS libraries template --- .../unpatched_javascript_libraries/template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md index fdfa0d41..6dfb3571 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -15,7 +15,7 @@ The affected software versions and related vulnerabilities have been listed belo **Business Impact** -Outdated Software Version can lead to reputational damage for the business due to a loss in confidence and trust by users. +Outdated JavaScript libraties can lead to reputational damage for the business due to a loss in confidence and trust by users. **Proof Of Concept (PoC)** From e6cef765a06575415034abdbd29af451a5391ea5 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 11:45:06 +0100 Subject: [PATCH 07/17] Fixed typo --- .../unpatched_javascript_libraries/template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md index 6dfb3571..d4304f20 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -15,7 +15,7 @@ The affected software versions and related vulnerabilities have been listed belo **Business Impact** -Outdated JavaScript libraties can lead to reputational damage for the business due to a loss in confidence and trust by users. +Outdated JavaScript libraries can lead to reputational damage for the business due to a loss in confidence and trust by users. **Proof Of Concept (PoC)** From 59d80a4be531eba1bbc690cc9c2ee56099fac7b7 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 12:00:33 +0100 Subject: [PATCH 08/17] Added insecure content security policy template --- .../recommendations.md | 10 +++++++++ .../template.md | 21 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md create mode 100644 submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md new file mode 100644 index 00000000..a80e115e --- /dev/null +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md @@ -0,0 +1,10 @@ +**Recommendation** + +The `Content-Security-Policy` header should be configured in a way that reduces the attack surface of the application. The CSP header is not set as a default catch-all, due to its permissive design. Therefore, It is important to ensure that the CSP header is not too permissive for the application's needs, and has directives appropriately set. + +For example, the `script-src` directive should have a value applied to block all inline scripts at a minimum. This will prevent the execution of JavaScript that has been injected into the page through cross-site scripting attacks. Furthermore, an allow list of external sources can be specified to prevent injection of Javascript from sources that lie outside of the page. + +For more information, please see: + +- +- \ No newline at end of file diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md new file mode 100644 index 00000000..e7203718 --- /dev/null +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md @@ -0,0 +1,21 @@ +The configured `Content Security Policy` (CSP) was insecure. + +CSP is a mechanism designed to add an additional layer of protection against injection attacks such as Cross-Site Scripting (XSS) and clickjacking. CSP achieves this by specifying the limitations on which resources may be loaded and from where. + +A CSP can inherit weakness if configured by attributes that reduce the security benefits of having a CSP. The in-scope application's CSP was found to be insecure due to the usage of the following explicitly unsafe source expressions: + +{{replace following with relevant insecure directives}} +- unsafe-inline: allows the execution of untrusted inline page scripts and event handlers +- unsafe-eval: allows the execution of code injected into DOM APIs such as eval() + +An attacker may leverage an insecure CSP to attempt attacks with the aim of executing malicious code in a user’s browser. + +**Business Impact** +An insecure `Content-Security-Policy` header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being transmitted over the wire and the sophistication of the attacker’s abilities. + + +**Proof of Concept (PoC)** + +The following code snippet contains the Content-Security-Policy header returned by the application: + +`Content-Security-Policy:` From 2455cc521704efffd378331e85221a22067204fb Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 12:02:43 +0100 Subject: [PATCH 09/17] Modified insecure CSP wording --- .../insecure_content_security_policy/template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md index e7203718..9bd2d521 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md @@ -1,6 +1,6 @@ The configured `Content Security Policy` (CSP) was insecure. -CSP is a mechanism designed to add an additional layer of protection against injection attacks such as Cross-Site Scripting (XSS) and clickjacking. CSP achieves this by specifying the limitations on which resources may be loaded and from where. +A CSP is a mechanism designed to add an additional layer of protection against injection attacks such as Cross-Site Scripting (XSS) and clickjacking. The CSP achieves this by specifying the limitations on which resources may be loaded and from where. A CSP can inherit weakness if configured by attributes that reduce the security benefits of having a CSP. The in-scope application's CSP was found to be insecure due to the usage of the following explicitly unsafe source expressions: From ed9b336d79190eb7e18a8f279843a6688a906811 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Mon, 7 Oct 2024 12:11:23 +0100 Subject: [PATCH 10/17] Added software version in response header template --- .../recommendations.md | 3 +++ .../template.md | 17 +++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md create mode 100644 submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md new file mode 100644 index 00000000..c4203bd2 --- /dev/null +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md @@ -0,0 +1,3 @@ +**Recommendation** + +Remove the version number disclosure in the HTTP response headers, either by removing the headers entirely, or having them return a generic response. Vendor documentation should provide specific details on how to adjust the configuration to remove version numbers. \ No newline at end of file diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md new file mode 100644 index 00000000..b127af1a --- /dev/null +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md @@ -0,0 +1,17 @@ +Software version numbers were disclosed within the HTTP response headers. + +An attacker could use this information to enumerate the underlying technologies and plan further attacks based on the versions disclosed. + +**Business Impact** + +Software version disclosures can lead to reputational damage for the business due to a loss in confidence from users who can see that the web server is running on older software. If an attacker is successful in identifying and exploiting a known vulnerability for the identified version of software on this host, this can lead to indirect financial losses and data loss. + + +**Steps to Reproduce** + +1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP +1. In a browser, navigate to the homepage of the application +1. Use the Web Proxy to intercept the response +1. Observe the `{{header name}}` response header, noting the the version number disclosed for the software `{{disclosed software}}`, e.g: + +>`Server: nginx/1.17.10` From 0d8edda5366c8ce4ecde36129f33ff0715420409 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Wed, 16 Oct 2024 15:31:53 +0100 Subject: [PATCH 11/17] Added generic guidance.md to findings --- .../business_logic_bypass/guidance.md | 0 .../no_account_lockout/guidance.md | 0 .../software_versions_disclosed_in_response_headers/guidance.md | 0 .../insecure_content_security_policy/guidance.md | 0 .../unpatched_javascript_libraries/guidance.md | 0 5 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md create mode 100644 submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md create mode 100644 submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md create mode 100644 submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md create mode 100644 submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md new file mode 100644 index 00000000..e69de29b diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md b/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md new file mode 100644 index 00000000..e69de29b diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md new file mode 100644 index 00000000..e69de29b diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md new file mode 100644 index 00000000..e69de29b diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md new file mode 100644 index 00000000..e69de29b From c612532cf9c91e42e111d9778a90cafe078f68b3 Mon Sep 17 00:00:00 2001 From: mike-holbrook-bc Date: Wed, 16 Oct 2024 15:34:54 +0100 Subject: [PATCH 12/17] Forgot to save files --- .../business_logic_bypass/guidance.md | 5 +++++ .../no_account_lockout/guidance.md | 5 +++++ .../guidance.md | 5 +++++ .../insecure_content_security_policy/guidance.md | 5 +++++ .../unpatched_javascript_libraries/guidance.md | 5 +++++ 5 files changed, 25 insertions(+) diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md index e69de29b..c7a67751 100644 --- a/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md +++ b/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md @@ -0,0 +1,5 @@ +**Guidance** + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md b/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md index e69de29b..c7a67751 100644 --- a/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md @@ -0,0 +1,5 @@ +**Guidance** + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md index e69de29b..c7a67751 100644 --- a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md @@ -0,0 +1,5 @@ +**Guidance** + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md index e69de29b..c7a67751 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md @@ -0,0 +1,5 @@ +**Guidance** + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md index e69de29b..c7a67751 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md @@ -0,0 +1,5 @@ +**Guidance** + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file From 29c84e8725b6ac0d97a4aabd59a930bd97f64afc Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 31 Mar 2026 11:59:00 +1000 Subject: [PATCH 13/17] Updates to match release v1.18.1 --- .../business_logic_bypass/recommendations.md | 11 ------ .../business_logic_bypass/template.md | 20 ---------- .../no_account_lockout/template.md | 19 ++++++---- .../guidance.md | 2 +- .../recommendations.md | 2 +- .../template.md | 15 +++++--- .../guidance.md | 5 --- .../template.md | 21 ----------- .../guidance.md | 2 +- .../recommendations.md | 2 +- .../insecure_csp/template.md | 21 +++++++++++ .../guidance.md | 2 +- .../recommendations.md | 4 +- .../template.md | 37 ++++++++----------- 14 files changed, 64 insertions(+), 99 deletions(-) delete mode 100644 submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md delete mode 100644 submissions/description/insufficient_security_configurability/business_logic_bypass/template.md rename submissions/description/{insufficient_security_configurability/business_logic_bypass => server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers}/guidance.md (99%) rename submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/{software_versions_disclosed_in_response_headers => software_version_in_response_headers}/recommendations.md (96%) rename submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/{software_versions_disclosed_in_response_headers => software_version_in_response_headers}/template.md (56%) delete mode 100644 submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md delete mode 100644 submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md rename submissions/description/server_security_misconfiguration/misconfigured_security_headers/{insecure_content_security_policy => insecure_csp}/guidance.md (99%) rename submissions/description/server_security_misconfiguration/misconfigured_security_headers/{insecure_content_security_policy => insecure_csp}/recommendations.md (93%) create mode 100644 submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md deleted file mode 100644 index 9b071330..00000000 --- a/submissions/description/insufficient_security_configurability/business_logic_bypass/recommendations.md +++ /dev/null @@ -1,11 +0,0 @@ -**Recommendation** - -Remediate the identified flaws within the applications design and implementation, to ensure that the intended application logic cannot be bypassed or manipulated to elicit unintended behaviours. - -Furthermore, the following key points should be taken into consideration: - -* Ensure developers and Quality Assurance testers understand the application and its intended functionality. -* Avoid making implicit assumptions about user behaviour or other parts of the application. -* Maintain clear design documents and data flows for all transactions and workflows, noting any assumptions that are made at each stage. -* Write code as clearly as possible. If it's difficult to understand what is supposed to happen, it will be difficult to spot any logic flaws. Ensure that developers and testers know what assumptions are being made and exactly what the expected behaviour is. -* Note any references to other code that uses each component. Consider any side-effects of these dependencies if a malicious party were to manipulate them in an unintended manner. \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md b/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md deleted file mode 100644 index d02da53c..00000000 --- a/submissions/description/insufficient_security_configurability/business_logic_bypass/template.md +++ /dev/null @@ -1,20 +0,0 @@ -Business logic vulnerabilities occur due to logic flaws in an applications workflow, often stemming from mistaken expectations regarding user behaviour. This can lead to a condition where failure to anticipate unexpected states during the design and implementation of the application results in a malicious user being able to trigger unintended behaviour. - -An attacker may exploit this vulnerability to manipulate workflows, abuse legitimate features and functionality, or bypass traditional security controls. - -{{Describe the application logic bypass identified in the in-scope application}} - -**Business Impact** - -This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. - -**Steps to Reproduce** - -1. Step 1 -1. Step 2, with context: - ```http - POST /example HTTP/2 - Host: example.com - - {"param":"value"} - ``` \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/template.md b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md index 30bdc218..20491d0e 100644 --- a/submissions/description/insufficient_security_configurability/no_account_lockout/template.md +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/template.md @@ -1,15 +1,18 @@ -The application was found to have no account lockout enforced, thereby potentially allowing an attacker to brute force accounts for an indefinite period. - -An account lockout is a countermeasure whereby a user account is prevented from logging in temporarily after an incorrect password is supplied a fixed number of times. The lack of account lockout makes the application particularly vulnerable to brute force attacks, which could lead to the direct compromise of users’ accounts. - -It is normally trivial to determine the difference between a successful and failed login attempt automatically. Therefore, it is possible for an attacker to write a script to continuously attempt to login with many different passwords and report on any that were successful. Without a strong password policy in place, this technique is likely to succeed. +The application does not enforce account lockout on the login endpoint after repeated failed authentication attempts. An attacker can perform brute force or credential stuffing attacks on users' accounts for an indefinite period without restriction. Without a strong password policy in place, this technique is likely to succeed. This could allow an attacker to gain access to users' accounts if successful. **Business Impact** Having no account lockout can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -**Proof of Concept (PoC)** +**Steps to Reproduce** -The following screenshot shows the use of a tool to automate the numerous login requests to the application. As visible from the response statuses, it was possible to successfully login to the application after submitting 25 consecutive invalid login requests: +1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP +1. Use a browser to navigate to: {{URL}} +1. Submit multiple incorrect password attempts in rapid succession +1. Confirm that no account lockout, CAPTCHA, or rate limiting is triggered + +**Proof of Concept (PoC)** -{{screnshot}} +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/guidance.md similarity index 99% rename from submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md rename to submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/guidance.md index c7a67751..63878eb1 100644 --- a/submissions/description/insufficient_security_configurability/business_logic_bypass/guidance.md +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/guidance.md @@ -2,4 +2,4 @@ Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/recommendations.md similarity index 96% rename from submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md rename to submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/recommendations.md index c4203bd2..d8844d88 100644 --- a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/recommendations.md +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/recommendations.md @@ -1,3 +1,3 @@ **Recommendation** -Remove the version number disclosure in the HTTP response headers, either by removing the headers entirely, or having them return a generic response. Vendor documentation should provide specific details on how to adjust the configuration to remove version numbers. \ No newline at end of file +Remove the version number disclosure in the HTTP response headers, either by removing the headers entirely, or having them return a generic response. Vendor documentation should provide specific details on how to adjust the configuration to remove version numbers. diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/template.md similarity index 56% rename from submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md rename to submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/template.md index b127af1a..4241d97a 100644 --- a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/template.md +++ b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_version_in_response_headers/template.md @@ -1,17 +1,20 @@ -Software version numbers were disclosed within the HTTP response headers. - -An attacker could use this information to enumerate the underlying technologies and plan further attacks based on the versions disclosed. +The application server discloses the software name and version number of the web server, application framework, or other server-side components within the HTTP response headers. An attacker could use this information to enumerate the underlying technologies and plan further attacks based on the versions disclosed. **Business Impact** Software version disclosures can lead to reputational damage for the business due to a loss in confidence from users who can see that the web server is running on older software. If an attacker is successful in identifying and exploiting a known vulnerability for the identified version of software on this host, this can lead to indirect financial losses and data loss. - **Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP -1. In a browser, navigate to the homepage of the application +1. In a browser, navigate to the homepage of the application 1. Use the Web Proxy to intercept the response 1. Observe the `{{header name}}` response header, noting the the version number disclosed for the software `{{disclosed software}}`, e.g: +> +> `Server: nginx/1.17.10` + +**Proof of Concept (PoC)** ->`Server: nginx/1.17.10` +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md b/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md deleted file mode 100644 index c7a67751..00000000 --- a/submissions/description/server_security_misconfiguration/fingerprinting_banner_disclosure/software_versions_disclosed_in_response_headers/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -**Guidance** - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md deleted file mode 100644 index 9bd2d521..00000000 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/template.md +++ /dev/null @@ -1,21 +0,0 @@ -The configured `Content Security Policy` (CSP) was insecure. - -A CSP is a mechanism designed to add an additional layer of protection against injection attacks such as Cross-Site Scripting (XSS) and clickjacking. The CSP achieves this by specifying the limitations on which resources may be loaded and from where. - -A CSP can inherit weakness if configured by attributes that reduce the security benefits of having a CSP. The in-scope application's CSP was found to be insecure due to the usage of the following explicitly unsafe source expressions: - -{{replace following with relevant insecure directives}} -- unsafe-inline: allows the execution of untrusted inline page scripts and event handlers -- unsafe-eval: allows the execution of code injected into DOM APIs such as eval() - -An attacker may leverage an insecure CSP to attempt attacks with the aim of executing malicious code in a user’s browser. - -**Business Impact** -An insecure `Content-Security-Policy` header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being transmitted over the wire and the sophistication of the attacker’s abilities. - - -**Proof of Concept (PoC)** - -The following code snippet contains the Content-Security-Policy header returned by the application: - -`Content-Security-Policy:` diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/guidance.md similarity index 99% rename from submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md rename to submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/guidance.md index c7a67751..63878eb1 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/guidance.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/guidance.md @@ -2,4 +2,4 @@ Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/recommendations.md similarity index 93% rename from submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md rename to submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/recommendations.md index a80e115e..20c6a892 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_content_security_policy/recommendations.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/recommendations.md @@ -7,4 +7,4 @@ For example, the `script-src` directive should have a value applied to block all For more information, please see: - -- \ No newline at end of file +- diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md new file mode 100644 index 00000000..f8bb2fc8 --- /dev/null +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md @@ -0,0 +1,21 @@ +The application implements a Content Security Policy (CSP) header, but the policy is configured insecurely. A CSP is a mechanism designed to add an additional layer of protection against injection attacks such as Cross-Site Scripting (XSS) and clickjacking. The CSP achieves this by specifying the limitations on which resources may be loaded and from where. A CSP can inherit weakness if configured by attributes that reduce the security benefits of having a CSP. An attacker can leverage an insecure CSP to attempt attacks with the aim of executing malicious code in a user’s browser. + +**Business Impact** +An insecure `Content-Security-Policy` header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being transmitted over the wire and the sophistication of the attacker’s abilities. + +**Steps to Reproduce** + +1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP +1. Use a browser to navigate to: {{URL}} +1. Inspect the HTTP response headers and locate the `Content-Security-Policy` header +1. Review the policy and note the usage of the following explicitly unsafe source expressions: +> +> {{replace following with relevant insecure directives}} +> - unsafe-inline: allows the execution of untrusted inline page scripts and event handlers +> - unsafe-eval: allows the execution of code injected into DOM APIs such as eval() + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md index c7a67751..63878eb1 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/guidance.md @@ -2,4 +2,4 @@ Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md index 386b78b0..abf7978c 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/recommendations.md @@ -1,4 +1,4 @@ - **Recommendation** +# Recommendation(s) Ensure that all JavaScript libraries and their associated components are routinely updated to the latest secure version. -Deprecated libraries should be reviewed for replacement by actively maintained alternatives. \ No newline at end of file +Deprecated libraries should be reviewed for replacement by actively maintained alternatives. diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md index d4304f20..575793ba 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -1,30 +1,25 @@ -The application was found to be using outdated and unpatched JavaScript libraries. Without security updates, these libaries are vulnerable to a number of publicly disclosed vulnerabilities. - -Given their close integration with the Document Object Model (DOM), JavaScript libraries are a prime target for Cross Site Scripting (XSS) attacks. +The application includes one or more outdated and unpatched client-side JavaScript libraries. Without security updates, these libraries contain a number of publicly disclosed vulnerabilities. Given their close integration with the Document Object Model (DOM), JavaScript libraries are a prime target for Cross Site Scripting (XSS) attacks. These unpatched javascript libraries increase the attack surface available to an attacker. {{Delete if not applicable}} Additionally, further JavaScript libraries were identified that are no longer maintained. Consequently, these libraries will no longer be able to receive security updates and patches for known vulnerabilities. -The affected software versions and related vulnerabilities have been listed below: - -{{example formatting below}} - ->**[Bootstrap v3.4.1](https://getbootstrap.com/)** ->- Bootstrap before 4.0.0 is end-of-life and no longer maintained ->- [CVE-2024-6485](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in bootstrap button component ->- [CVE-2024-6484](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in carousel component - **Business Impact** Outdated JavaScript libraries can lead to reputational damage for the business due to a loss in confidence and trust by users. -**Proof Of Concept (PoC)** +**Steps to Reproduce** + +1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP +1. Use a browser to navigate to: {{URL}} +1. Identify the {{library_name}} library loaded at {{library_path}} +1. The affected software versions and related vulnerabilities have been listed below: +> +> **[Bootstrap v3.4.1](https://getbootstrap.com/)** +> - Bootstrap before 4.0.0 is end-of-life and no longer maintained +> - [CVE-2024-6485](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in bootstrap button component +> - [CVE-2024-6484](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in carousel component -Navigate to the following JavaScript library files and view the version numbers disclosed at the top of the files: +**Proof of Concept (PoC)** -{{direct link to source file}} -``` -* Bootstrap v3.4.1 (https://getbootstrap.com/) - * Copyright 2011-2019 Twitter, Inc. - * Licensed under the MIT license - */ -``` +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} From 2e6bf6504ca6c8050739751af177323f7e8678a8 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:02:41 +1000 Subject: [PATCH 14/17] fixing linter errors --- .../no_account_lockout/guidance.md | 2 +- .../no_account_lockout/recommendations.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md b/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md index c7a67751..63878eb1 100644 --- a/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/guidance.md @@ -2,4 +2,4 @@ Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md b/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md index 1bbd0d96..c8d3300a 100644 --- a/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md +++ b/submissions/description/insufficient_security_configurability/no_account_lockout/recommendations.md @@ -2,4 +2,4 @@ An account lockout should be enforced to provide an extra layer of defence against brute force attacks, in addition to a strong password policy. A reasonable account lockout policy would be to lockout an account for fifteen minutes if five invalid login attempts were made within a ten-minute period, however this can be adapted depending on business requirements or the sensitivity of the application. -It is important to ensure that the lockout is not permanent, otherwise this can be used to perform denial of service attacks against the system by purposely locking valid accounts out. \ No newline at end of file +It is important to ensure that the lockout is not permanent, otherwise this can be used to perform denial of service attacks against the system by purposely locking valid accounts out. From 32fe75f9c7f2448e1136e163eedd1903ddad9e7d Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:05:20 +1000 Subject: [PATCH 15/17] fixing linter errors --- .../misconfigured_security_headers/insecure_csp/template.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md index f8bb2fc8..65bd5df7 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md @@ -11,8 +11,9 @@ An insecure `Content-Security-Policy` header can lead to reputational damage and 1. Review the policy and note the usage of the following explicitly unsafe source expressions: > > {{replace following with relevant insecure directives}} -> - unsafe-inline: allows the execution of untrusted inline page scripts and event handlers -> - unsafe-eval: allows the execution of code injected into DOM APIs such as eval() + +- unsafe-inline: allows the execution of untrusted inline page scripts and event handlers +- unsafe-eval: allows the execution of code injected into DOM APIs such as eval() **Proof of Concept (PoC)** From f0c66025ffc493fdd23a88fbf7cf5621475dd5c0 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:07:08 +1000 Subject: [PATCH 16/17] fixing linter errors --- .../misconfigured_security_headers/insecure_csp/template.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md index 65bd5df7..537e7fc3 100644 --- a/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md +++ b/submissions/description/server_security_misconfiguration/misconfigured_security_headers/insecure_csp/template.md @@ -9,8 +9,6 @@ An insecure `Content-Security-Policy` header can lead to reputational damage and 1. Use a browser to navigate to: {{URL}} 1. Inspect the HTTP response headers and locate the `Content-Security-Policy` header 1. Review the policy and note the usage of the following explicitly unsafe source expressions: -> -> {{replace following with relevant insecure directives}} - unsafe-inline: allows the execution of untrusted inline page scripts and event handlers - unsafe-eval: allows the execution of code injected into DOM APIs such as eval() From 089e8836f511aa653e828ffa9457f88e51bc48b2 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:10:54 +1000 Subject: [PATCH 17/17] fixing linter errors --- .../unpatched_javascript_libraries/template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md index 575793ba..2e95f8b5 100644 --- a/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md +++ b/submissions/description/using_components_with_known_vulnerabilities/unpatched_javascript_libraries/template.md @@ -14,6 +14,7 @@ Outdated JavaScript libraries can lead to reputational damage for the business d 1. The affected software versions and related vulnerabilities have been listed below: > > **[Bootstrap v3.4.1](https://getbootstrap.com/)** +> > - Bootstrap before 4.0.0 is end-of-life and no longer maintained > - [CVE-2024-6485](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in bootstrap button component > - [CVE-2024-6484](https://nvd.nist.gov/vuln/detail/CVE-2024-6485): XSS in carousel component