brokencrystals | A Broken Application

brokencrystals is a CSS library. brokencrystals has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

Broken JWT Authentication - The application includes multiple endpoints that generate and validate several types of JWT tokens. The main login API, used by the UI, is utilizing one of the endpoints while others are available via direct call and described in Swagger. Brute Force Login - Checks if the application user is using a weak password. The default setup contains user = admin with password = admin. Common Files - Tries to find common files that shouldn’t be publicly exposed (such as “phpinfo”, “.htaccess”, “ssh-key.priv”, etc…). The application contains .htacess and Nginx.conf files under the client's root directory and additional files can be added by placing them under the public/public directory and running a build of the client. Cookie Security - Checks if the cookie has the “secure” and HTTP only flags. The application returns two cookies (session and bc-calls-counter cookie), both without secure and HttpOnly flags. **Cross-Site Scripting (XSS) -. Default Login Location - The login endpoint is available under /api/auth/login. Directory Listing - The Nginx config file under the nginx-conf directory is configured to allow directory listing. DOM Cross-Site Scripting - Open the landing page with the dummy query param that contains DOM content (including script), add the provided DOM into the page, and execute it. File Upload - The application allows uploading an avatar photo of the authenticated user. The server doesn't perform any sort of validation on the uploaded file. Full Path Disclosure - All errors returned by the server include the full path of the file where the error has occurred. The errors can be triggered by passing wrong values as parameters or by modifying the bc-calls-counter cookie to a non-numeric value. Headers Security Check - The application is configured with misconfigured security headers. The list of headers is available in the headers.configurator.interceptor.ts file. A user can pass the no-sec-headers query param to any API to prevent the server from sending the headers. HTML Injection - Both forms testimonial and mailing list subscription forms allow HTML injection. HTTP Method fuzzer - The server supports uploading, deletion, and getting the content of a file via /put.raw addition to the URL. The actual implementation using a regular upload endpoint of the server and the /put.raw endpoint is mapped in Nginx. LDAP Injection - The login request returns an LDAP query for the user's profile, which can be used as a query parameter in /api/users/ldap query query parameter. The returned query can be modified to search for other users. If the structure of the LDAP query is changed, a detailed LDAP error will be returned (with LDAP server information and hierarchy). Local File Inclusion (LFI) - The /api/files endpoint returns any file on the server from the path that is provided in the path param. The UI uses this endpoint to load crystal images on the landing page. Open Database - The index.html file includes a link to manifest URL, which returns the server's configuration, including a DB connection string. OS Command Injection - The /api/spawn endpoint spawns a new process using the command in the command query parameter. The endpoint is not referenced from UI. Remote File Inclusion (RFI) - The /api/files endpoint returns any file on the server from the path that is provided in the path param. The UI uses this endpoint to load crystal images on the landing page. Secret Tokens - The index.html file includes a link to manifest URL, which returns the server's configuration, including a Mailgun API key. Server-Side Template Injection (SSTI) - The endpoint /api/render receives a plain text body and renders it using the doT (templating engine. Server-Side Request Forgery (SSRF) - The endpoint /api/file receives the path and type query parameters and returns the content of the file in path with Content-Type value from the type parameter. The endpoint supports relative and absolute file names, HTTP/S requests, as well as metadata URLs of Azure, Google Cloud, AWS, and DigitalOcean. SQL injection (SQLI) - The /api/testimonials/count endpoint receives and executes SQL query in the query query parameter. Unvalidated Redirect - The endpoint /api/goto redirects the client to the URL provided in the url query parameter. The UI references the endpoint in the header (while clicking on the site's logo) and as an href source for the Terms and Services link in the footer. Version Control System - The client_s build process copies SVN, GIT, and Mercurial source control directories to the client application root and they are accessible under Nginx root. XML External Entity (XXE) - The endpoint, POST /api/metadata, receives URL-encoded XML data in the xml query parameter, processes it with enabled external entities (using libxmnl library) and returns the serialized DOM. Additionally, for a request that tries to load file:///etc/passwd as an entity, the endpoint returns a mocked up content of the file. JavaScript Vulnerabilities Scanning - Index.html includes an older version of the jQuery library with known vulnerabilities.