When we look at the definition of insecure data storage, this is simply referring to different data that is stored without the added protection, encryption or any other different security measures. It is crucial for applications that are developed by different development teams. Sensitive data is vulnerable when our protection techniques are not sufficient. When we are thinking about security methods, like pentesting web applications, we must consider the worst scenario – data breach. Passwords, names, and credit card numbers need secure mechanisms as business consequences of vulnerable data storage could be more than serious.
In general, when the team produces an application, sometimes developers might not be aware, or they might assume that there are files that will not be either sensitive or accessed by the hacker. But then it appears that data is actually accessible, and this is what we’re going to be talking about. Let’s dig in.
First of all, we have a web application that on its main page only has a login form. It may appear that all the website functionality is only available after logging in. But of course, this doesn’t stop the attacker from looking around and just trying to find something that developers may have overlooked.
One of the first activities that the attacker could consider while performing effective reconnaissance on the website is just brute forcing the directories. This can be done by using numerous tools, for example, the DirBuster or GoBuster or simply Burp Suite and many others.
As an example, we will use dirsearch. In the video we are performing the directory brute force on the website and for that we are using the dirsearch -u localhost and so on. Also, we are using the dictionary as well in order to search for vulnerable entries. Let’s just simply run it for a minute and we’ve got the searching process. It always takes time, so we need to be patient.
We can already see that we’ve got a few hints. For example, robots.txt is always interesting because it is a file that tells search engine crawlers which URLs can, and which cannot be accessed on our site by the crawler. So, we can always check it out because that can always reveal to us some additional content that’s possibly sensitive. If we get into robots.txt you can see that we’ve got a certain disallowance. That’s just not much here because it’s a simple website, but it may actually include something interesting. So that entry of course disallows URLs, but it’s just simply a 404 page. It’s not really something that can be useful for us.
But if we don’t want to give up so early, we can of course check the other URLs like robots.txt, GTMP file, DB file and in general for files starting with ~ and so on. We can check the email file, for example, that could be some reference to the temporary file or some potential passwords. Of course, it might be just something that’s there, but nothing interesting.
And if we do analyze the CTB file extension you can see that this is a document created by the CherryTree a note-taking application which is quite an unusual extension in general. We can check what is inside.
Sometimes we might be able to open that file, and sometimes not, but for the purpose of the video demo we are able to open this file. We have set up all the software that is necessary for that particular extension.
There is an entry and we’ve got a “Send Anna an email about a policy”. So, unfortunately, nothing really juicy here but we can try searching. The more information we are able to find, the better. Even though that information will not hurt someone directly, it could be actually useful for further research.
We’ve got as well a SQL file, so we can include some SQL queries and that might reveal information about the database. In the next step, we can also verify that it’s also a very popular extension and file type. Therefore, here we should look for it because – again – it may reveal more information about the infrastructure. That could be also an option. Moreover, we can copy all the files that we are gathering, and we can also try to review that particular SQL file here, so we can check what is inside. In the video you can see that we’ve got some queries and, for example, a version of certain software and, again, the name of the databases and more that potentially could be useful.
This is just an example of course, but we should definitely go deeper here. Usually, this is how this operation looks like. There is also quite an innocent DS_Store file. And as you may know, DS_Store is a file that is created by the OSX to save folder properties and it may contain sensitive information.
That is exactly what we’re going to do as the next step and for that, we will be able to see what is within the store. So right now, we are technically dropping that one into the online parser and let’s just answer a couple of questions here. Within the online DS_Store parser, we can drop that particular file and then, yet we will be able to see what’s more out there. So, for that moment we are just dropping the file.
Follow the video to see that’s the DS_Store, upload and parse and this is information that we are getting from the inside of the file.
In general, that’s all a real-world case study. Instead of probing the website, we might actually try to query these particular files directly from the website. Though we were not able to do it right now because we already know the names, then we are able to put the name literally into the URL and then manage to hit the file so we can download the file and review more information about what the website is about.
We’ve got another Excel spreadsheet that is also quite useful to see whether we can get more information about what that is. It could be some kind of a username and password, some financial data or maybe something else that could be yet another tip to perform further exploitation. But it’s a very straightforward operation.
Our goal for this episode was to show you simply the meaning and the power of dirsearch and how important is not only to scan your website for these kinds of additional files that are not supposed to be there. In general, if you’re performing pentests, then this is yet another useful tool to put into your toolkit to be able to search just for something that you guys could use for the further steps of the penetration tests.
So hopefully you enjoy my pretty straightforward comment about insecure data storage. Thank you so much for watching, listening or reading our CQURE Hacks Weekly episode.
If you want to go deeper, check out our newest, upcoming Pentesting Web Application live course.
Our Expert, Artur Kalinowski, will demonstrate and show you the details on Cross Site Scripting, Injections, and Insecure File Handling. Also, you will learn some methods of testing API. Join us on 31st May 2023 and learn what vulnerabilities are often found in web apps and how they may be exploited