Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Taking Advantage of AJAX for Account Enumeration

Context

AJAX stands for Asynchronous JavaScript And XML. It’s a set of web development techniques using many web technologies on the client side to create asynchronous web applications. In some cases, XML is not used, but JavaScript is almost always present and used with the objective of making web applications faster and more efficient.

There are a lot of useful implementations of AJAX, for example in web forms where the user can put their ZIP code and it obtains the State and City of the address automatically, saving the user a couple of clicks. Even popular features like Google Instant run with AJAX.

However, AJAX should not be used everywhere. Web pages should be designed and restricted so that confidential information like usernames or other sensitive data is not exposed to malicious agents.

In this post, I will discuss how AJAX use on a university webpage led to an account enumeration vulnerability. Account or username enumeration is an attack where possible accounts are either brute-force or guessed, and the system confirms the existence or non-existence of such accounts.

Attack

I stumbled across a university page that uses AJAX to fill a form. When a user types in their account number it gives information about the active students enrolled. However, this feature could be exploited by an attacker.

The AJAX flow is the following:

  1. The user must input the Account number (6 digits).
  2. Using JavaScript, the browser detects when the user put the account number and make a simple POST request.
  3. Based on the answer the form gets filled (valid account number) or the user gets an error (invalid account number).

 

The POST request is the following:

1_POST

Figure 1. Example of POST request

As we can see only one parameter is used: “txtCuentaAlumno”.

Since only 6 digits are required, we could do a simple brute-force attack to enumerate the active users. I use Burp to launch the attack.

First, we configure the payload position:

2_Payload_position

Figure 2. Payload position

 

Then we configure the payload. In this case, we will use numbers:

3_Payload_config

Figure 3. Payload configuration

 

Then we configure a Grep Extract from the payload:

4_grep_extract

Figure 4. Grep Extract for the response

After we execute the attack, we can see we obtained some information:

5_Results

Figure 5. Results of the attack

We can see that the page has two possible answers:

  • In case we give an invalid account number it responds: “No encontrado” (translates to “Not Found”)
  • In case we give a valid account number it responds with the details about the student: Account digit, Last name, etc.

Finally, a small Ruby script that does the same attack:

6_Poc_Ruby

Figure 6. Simple PoC in Ruby

Possible solutions

There is no simple solution to enumeration attacks. If possible, no information should be revealed to the user unless they have already proven they are authorized to do so (for example via authentication) or in cases where the information provided is already 100% public (for example the state of a zip code).

In some cases, businesses want to make things more efficient and faster to give the user benefits in terms of numbers of clicks or time to fill a form. However, sometimes they do so by risking information leakage. In such cases, a CAPTCHA may make things more difficult for an automated attacker, but even that won’t stop a determined attacker. It’s important to know that the analysis must be done carefully since revealing private information is a very sensitive situation and may even result in legal liability.

Additional solutions that may help (and raise the general security of any website) include:

  • Log every request and monitor the logs to detect attacks like brute force, enumeration, and Password Spraying.
  • Implement a WAF to detect and stop attacks in real time. A great and easy to implement open-source WAF is ModSecurity.

Note: The screenshots were edited to omit the information about the vulnerable website and any other information that we consider sensitive.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo