Even the web resources of well-known organizations are not protected from children's mistakes.
Disclaimer. All events took place in 2017. All vulnerabilities specified in the article were reported to company representatives as soon as possible from the moment they were discovered. Some resources, for 2019, have been completely updated (frontend and backend).
The article is purely informational and educational in nature.
Running through the old folders, I came across the saved screenshots that I made for representatives of a couple of notorious companies in our financial-IT market.
It all started with the fact that I decided to change my profile of work and try myself in a QA or related profession, but not as a self-taught loner, but to do this on the staff of some large organization, so that I had someone to learn from, work as a team ...
After posting the resume, Sberbank Technologies, the Bank of Discovery about which a little story will go, crossed with me.
After the invitation to chat, I decided to see what lives on the domains of companies for interesting vulnerabilities. It is always nice to have a trump card in the sleeve at the negotiations.
Sberbank is primarily associated with Russia, but it has branches in other countries. Therefore, I decided to take the “simple” path. Almost after a couple of attempts, two passive XSS vulnerabilities were found in the web interface of the Belarusian Sberbank.
The first children's mistake is not to check incoming data from the user. As a result, cross-site scripting in the search field and login form for Sberbank Online.
A separate point on the Sberbank Online login form is that although the form transmitted values through POST, the scripts on the web server successfully processed my GET request.
I also decided to look at the domain from which HR Sberbank wrote to me. It turned out to be the portal “Sberbank Talents”.
Having tormented different forms and hidden fields, I didn’t get anything good, except that the portal is spinning on ASP.NET.
After reviewing once again the source of the main HTML page, I noticed that all JS and CSS files are given through a script that combines and compresses the files specified in the GET request.
The second children's mistake is not to limit the list of files / directories that can be downloaded from the server to the white list.
As a result, I got access to the web server configuration file. And also, to a more interesting log file, where both passwords from SQL and other services were indicated, as well as current API tokens for publishing on social networks.
Here, I also decided not to waste time on the main portal, but to immediately look at which of my web resources the bank is linking to. The “Career Portal of Otkritie Bank” became a subject, by a random analogy with Sberbank.
It turned out that the portal runs on CMS Bitrix. As a rule, large commercial engines or open source engines do not contain children's errors, but ...
Okay Google, how to get access to the Bitrix admin panel?
The third children's mistake is not to close the directory listing on the server.
In principle, everything is clear - Apache was configured so that directories without index files showed their contents. This is not a very critical problem, if not for a fateful combination of circumstances. On the career portal you can upload your contact details and your resume file. A couple of minutes and I'm already looking at listing the directory with the data of applicants.
This is all interesting, but not the admin panel. Therefore, we leaf through all the folders in the hope of finding something.
Not a childhood mistake - the human factor. I don’t know how, and most importantly why, but in one of the directories with PDF / RTF / DOC files there was a file without an extension, which was a PHP script.
Thanks to this file, a new search vector was obtained - the folder / estaff /, where the logs for adding / removing vacancies with a username / password pair, module scripts, as well as in one of the files the details that approached the Bitrix admin panel were displayed.
Unfortunately, for me this story ended without a happy ending. Firstly, I had to look for a real representative of the bank related to IT for a long time. The first line of support for banks (as well as HR themselves), in principle, did not understand the problem, which is expected, but could not pass this data on to colleagues from the necessary departments.
The solution was LinkedIn and the sending of personal messages to the heads of various departments, at least somehow related to the IT infrastructure.
Secondly, both banks do not have a Bug Bounty program, as a result, everything was limited to a concise “Thank you”.
And thirdly, HR of both banks did not consider my resume, citing a lack of experience.
The article is purely informational and educational in nature.
Running through the old folders, I came across the saved screenshots that I made for representatives of a couple of notorious companies in our financial-IT market.
It all started with the fact that I decided to change my profile of work and try myself in a QA or related profession, but not as a self-taught loner, but to do this on the staff of some large organization, so that I had someone to learn from, work as a team ...
After posting the resume, Sberbank Technologies, the Bank of Discovery about which a little story will go, crossed with me.
After the invitation to chat, I decided to see what lives on the domains of companies for interesting vulnerabilities. It is always nice to have a trump card in the sleeve at the negotiations.
Sberbank
Sberbank is primarily associated with Russia, but it has branches in other countries. Therefore, I decided to take the “simple” path. Almost after a couple of attempts, two passive XSS vulnerabilities were found in the web interface of the Belarusian Sberbank.
The first children's mistake is not to check incoming data from the user. As a result, cross-site scripting in the search field and login form for Sberbank Online.
A separate point on the Sberbank Online login form is that although the form transmitted values through POST, the scripts on the web server successfully processed my GET request.
I also decided to look at the domain from which HR Sberbank wrote to me. It turned out to be the portal “Sberbank Talents”.
Having tormented different forms and hidden fields, I didn’t get anything good, except that the portal is spinning on ASP.NET.
After reviewing once again the source of the main HTML page, I noticed that all JS and CSS files are given through a script that combines and compresses the files specified in the GET request.
The second children's mistake is not to limit the list of files / directories that can be downloaded from the server to the white list.
As a result, I got access to the web server configuration file. And also, to a more interesting log file, where both passwords from SQL and other services were indicated, as well as current API tokens for publishing on social networks.
Opening
Here, I also decided not to waste time on the main portal, but to immediately look at which of my web resources the bank is linking to. The “Career Portal of Otkritie Bank” became a subject, by a random analogy with Sberbank.
It turned out that the portal runs on CMS Bitrix. As a rule, large commercial engines or open source engines do not contain children's errors, but ...
Okay Google, how to get access to the Bitrix admin panel?
The third children's mistake is not to close the directory listing on the server.
In principle, everything is clear - Apache was configured so that directories without index files showed their contents. This is not a very critical problem, if not for a fateful combination of circumstances. On the career portal you can upload your contact details and your resume file. A couple of minutes and I'm already looking at listing the directory with the data of applicants.
This is all interesting, but not the admin panel. Therefore, we leaf through all the folders in the hope of finding something.
Not a childhood mistake - the human factor. I don’t know how, and most importantly why, but in one of the directories with PDF / RTF / DOC files there was a file without an extension, which was a PHP script.
Thanks to this file, a new search vector was obtained - the folder / estaff /, where the logs for adding / removing vacancies with a username / password pair, module scripts, as well as in one of the files the details that approached the Bitrix admin panel were displayed.
Now, Sharik, you will run after him for another half day - to give photos ...
Unfortunately, for me this story ended without a happy ending. Firstly, I had to look for a real representative of the bank related to IT for a long time. The first line of support for banks (as well as HR themselves), in principle, did not understand the problem, which is expected, but could not pass this data on to colleagues from the necessary departments.
The solution was LinkedIn and the sending of personal messages to the heads of various departments, at least somehow related to the IT infrastructure.
Secondly, both banks do not have a Bug Bounty program, as a result, everything was limited to a concise “Thank you”.
And thirdly, HR of both banks did not consider my resume, citing a lack of experience.