Sensitive Data Exposure (OWASP Top 10)
When a web-app leaks some sensitive data to the internet it is referred to as “Sensitive Data Exposure”. The data can be user data — passwords and usernames or financial information. A scenario of a “Man in the middle” attack is also possible in which the attacker forces the users to go through a devices that is controlled by the attacker and he might intercept some unencrypted or weakly encrypted data.
On production projects databases are commonly stored on dedicated servers. However, smaller storage option is also available called the “flat-file” database. The whole databases can be stored as a single file on a computer. And due to the smaller utility it is far more common for smaller projects.
These flat-file databases are not really much of a problem but issues can come up if suppose the flat-file is stored underneath the root directory of a website.
What is the vulnerability here? Well, we can download the database and query it. Sensitive Data Exposed!!
An sqlite database is an example of a flat-file database and can be interacted with by the help of sqlite3 installed on Kali by default.
How to access the flat-file, a curious soul could ask..
First of all you list all the files using ls- al and look for a file with .db extension then, you can get a confirmation using file command.
This would output the fily type and some basic info about our database.
Now to access the file use sqlite3 example.db. To view the tables in the database, execute .tables and you will see the names of the tables in the database. Now if you are curiousity be tingling… to view the whole table, execute PRAGMA table_info(table_name); and you will get the table with all its entries. Executing SELECT * FROM table_name; you get all the information about each entry of the table which could give us the password hashes and ids and what not…DONT FORGET THE SEMI-COLON.
To crack the password hashes you could use various in-built and online tools which can easily do the job — time depending on the type of hashes. It would technically be not cracking but matching because decrypting a hash can be tedious and take ages…so, let’s take dive into how decrypting hashes happen..
A decrypted hash reveals a fingerprint associated with that file. And the way these cracking tools work is that they take that hash, obtain the fingerprint and match those to an existing collection of weak password fingerprints and if we get the match .. we got the password. MD5 is a very weak hashing algorithm.