Dinis Cruz Blog: Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

Friday 2 May 2014

Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

TeamMentor (TM) is the project I have been the main developer for the past couple of years, and as we approach another release (v3.4.1), I would like to invite you all to have a go and hack it (i.e. find security vulnerabilities, report them to us, learn a bit and maybe even get paid or get a job offer :)

TeamMentor is a web-based Security KB with tons of prescriptive security guidance, how-tos and guidelines. It is built on C# .NET 4.0, jQuery with a bit of AngularJS; and you can see in action at https://www.teammentor.net (you can create an eval account and have access to the entire content for 15 days)

The key security/business capabilities (from a hacking/security point of view) that TM must hold are:

Anonymous (i.e. non logged in) users must NOT be able to see the Library Structure (i.e. what Libraries, Folders, Views or Article titles exists in a particular TM instance)
Readers (i.e. users with a default/eval account) should ONLY be able to see the Library structure and the article contents (i.e. they should NOT be able to edit any article/library or access any admin functions)
The only path/exploit that an Editor should be able to gain admin access, is via inserting an XSS exploit in an TM Article which is then viewed by an admin (via social engineering). In this scenario, there should be no path where the payloads (i.e. content changes) are not logged/captured via the auto-git-commit TM capabilities
All user activities (including requestURLs and TM actions) should be tracked and logged in TM new activity/log tracking system. Basically it should NOT be possible to make any TM action (for example reading or editing an article) that is not logged and tracked
DoS is an interesting topic, since the target site is currently hosted on AZURE and I would be quite interested to see how much traffic is needed to bring TM down (probably the bottleneck will be the activity tracking and logging, but we will see)
NOTE on DOS (Denial of Service): it only counts if you are able to DOS TeamMentor WITHOUT triggering Azure's DoS detection/mitigation services. I.e if you send SO much traffic that you bring that Azure server down, THAT DOESN'T COUNT (and in fact, at the moment I can already see who is running automated tools, and if the Azure guys complain about this, I will start blocking the source IPs). Bottom line, the DOS that you want to focus is one that blocks TM with a smallish number of requests.

As you can see from some of the items listed above, this version of TM contains a first version of OWASP AppSensor-like capabilities. Basically, using Firebase realtime JSON content distribution (via WebSockets) it is now possible to see (in real-time and out-of-band) just about everything that happens in TM. Since this is the first version that we ship this, we are still trying to find the best way to visualise/map the data collected, and more importantly, how to respond to particular malicious user actions (one interesting area of security research is how to add the OWASP AppSensor detection points to the data collected)

YOUR TARGET SERVER IS http://tm-appsensor.azurewebsites.net/

Please keep your tests to this url (or to another Azure/EC2 server created by you)

Couple notes on the version at http://tm-appsensor.azurewebsites.net/:

The source code for this version is at https://github.com/TeamMentor/Dev (public repo). At the moment (2nd May 2014) you can use the master branch, but for future reference, the target version is on the 3.4.1_Release branch
I changed the admin pwd (see if you can crack it)
This version of TM is configured to NOT show the library structure to anonymous users so you will need to create an account to see the content (the version on https://www.teammentor.net shows the library structure but not the content (until you create an eval account))
I uploaded 4 libraries (two publicly available and two part of the TM Libraries sold by SI)

Lib_Docs - Public repo with the TM Documentation that you can also see at https://docs.teammentor.net (checkout the different layout/design for the same TM content)
Lib_Vulnerabilities - Public repo with the content shown at https://vulnerabilities.teammentor.net
Lib_Html5 and Lib_Java - Private repos which you can also see in action at https://www.teammentor.net

There is activity/request tracking on this version and if you want to have access to it, please let me know (since this will required admin access, I will only provide this to people I know and trust)
We kinda have a TM Bug Bounty program in place and Dinesh Shetty who submited a number of TM vulns in the past (see below details) was hired by SI :) , and btw, SI always looking for good application security talent, so with the disclaimer that I make no promises here, but if you are looking for a Application Security job at SI (or another company) finding vulns in real-world apps like TeamMentor is a great way to show your skills
When you find an security issue/vulnerability, please add them directly to our GitHub Issues list. If the issue is critical, then send it directly to me by email (dcruz@securityinnovation.com (PGP public key available on request). Btw, take a look at the current open Security Issues to make sure you are finding something new (in that list the items marked with Action:QA are expected to be fixed, so if you find that they are still exploitable, that is a valid finding)
You get extra points if you are able to perform an SQL Injection (once you look at the code you should understand why)
When you start looking at the WebServices (both ASMX and WCF), you should take a look at these two UnitTests since they will describe what is our current expectation on which type of user should be able to invoke them (i.e our Authorization mappings):