CONTRAST: 'MD5' hash algorithm used at GranteeManager
bryanateoan opened this issue · comments
Vulnerability ID: CFQJ-CT27-MQXY-4QFP
Application Name: WebGoat1
Application Code: WebGoat1Code
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/d7b17129-9c95-44dc-875a-bf9c069873a4/applications/36714e7a-20cd-4285-b794-46b9ede5f3fe/vulns/CFQJ-CT27-MQXY-4QFP
What Happened?
The code:
org.hsqldb.rights.GranteeManager#getDigester()
...obtained a handle to the hashing algorithm seen here, which is considered insecure:
digest = java.security.MessageDigest.getInstance("MD5")
What's the risk?
The application uses a hashing algorithm that has been established by researchers to be unsafe for protecting sensitive data with today's technology.
Recommendation
Cryptography is hard. There are lots of little mistakes you can make in your cryptosystem that can leak information, or worse - but choosing a known unsafe hashing algorithm can be a big mistake. This is why we wanted to alert you to the presence of a hashing algorithm being used that doesn't meet our standards.
Obviously, there are lots of times when a hashing algorithm like MD5 or SHA-1 is used in a way that doesn't represent realistic risk to your organization. However, if you find yourself needing to switch hashing algorithms, doing it in the code is very easy; data migration is a much bigger problem. Here's code that gets a MD5 digester, which is considered BROKEN by today's standards because it's not nearly as collision-resistant as once thought:
MessageDigest badDigester = MessageDigest.getInstance("MD5"); // Unsafe
The following code retrieves a SHA-256 cipher, which is considered MUCH STRONGER for many reasons (including a 256-bit hash, which is less likely to fall victim to a birthday attack):
MessageDigest safeDigester = MessageDigest.getInstance("SHA-256"); // Safe!
Attacks against unsafe digests are more than theoretical; undirected collisions can be found on an average laptop in a few seconds. Directed collisions can be generated with relatively modest resources. That being said, all practical attacks would seem to require cryptographers of rare quality and the resources of a mid-large sized organization. Therefore, you should carefully decide how likely you are to face such an attack when estimating the severity of this issue. There is a common saying in cryptography (attributed to the NSA), "Attacks always get better; they never get worse." Make your cryptographic design accordingly!
First Event
Stack:
java.security.MessageDigest.getInstance(MessageDigest.java:181)
org.hsqldb.rights.GranteeManager.getDigester()
org.hsqldb.rights.GranteeManager.digest()
org.hsqldb.rights.User.setPassword()
org.hsqldb.rights.UserManager.createUser()
org.hsqldb.rights.UserManager.createFirstUser()
org.hsqldb.Database.reopen()
org.hsqldb.Database.open()
org.hsqldb.DatabaseManager.getDatabase()
org.hsqldb.DatabaseManager.newSession()
org.hsqldb.jdbc.JDBCConnection.<init>()
org.hsqldb.jdbc.JDBCDriver.getConnection()
org.hsqldb.jdbc.JDBCDriver.connect()
java.sql.DriverManager.getConnection(DriverManager.java:664)
java.sql.DriverManager.getConnection(DriverManager.java:247)
org.owasp.webgoat.session.DatabaseUtilities.getHsqldbConnection(DatabaseUtilities.java:126)
org.owasp.webgoat.session.DatabaseUtilities.makeConnection(DatabaseUtilities.java:109)
org.owasp.webgoat.session.DatabaseUtilities.getConnection(DatabaseUtilities.java:72)
org.owasp.webgoat.session.DatabaseUtilities.getConnection(DatabaseUtilities.java:57)
org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.injectableQuery(SqlInjectionLesson5a.java:61)
org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.completed(SqlInjectionLesson5a.java:56)
sun.reflect.NativeMethodAccessorImpl.invoke0()
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
Last Event
Stack:
java.security.MessageDigest.getInstance(MessageDigest.java:181)
org.hsqldb.rights.GranteeManager.getDigester()
org.hsqldb.rights.GranteeManager.digest()
org.hsqldb.rights.User.setPassword()
org.hsqldb.rights.UserManager.createUser()
org.hsqldb.rights.UserManager.createFirstUser()
org.hsqldb.Database.reopen()
org.hsqldb.Database.open()
org.hsqldb.DatabaseManager.getDatabase()
org.hsqldb.DatabaseManager.newSession()
org.hsqldb.jdbc.JDBCConnection.<init>()
org.hsqldb.jdbc.JDBCDriver.getConnection()
org.hsqldb.jdbc.JDBCDriver.connect()
java.sql.DriverManager.getConnection(DriverManager.java:664)
java.sql.DriverManager.getConnection(DriverManager.java:247)
org.owasp.webgoat.session.DatabaseUtilities.getHsqldbConnection(DatabaseUtilities.java:126)
org.owasp.webgoat.session.DatabaseUtilities.makeConnection(DatabaseUtilities.java:109)
org.owasp.webgoat.session.DatabaseUtilities.getConnection(DatabaseUtilities.java:72)
org.owasp.webgoat.session.DatabaseUtilities.getConnection(DatabaseUtilities.java:57)
org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.injectableQuery(SqlInjectionLesson5a.java:61)
org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.completed(SqlInjectionLesson5a.java:56)
sun.reflect.NativeMethodAccessorImpl.invoke0()
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
HTTP Request
POST http://localhost:19070/WebGoat/SqlInjection/attack5a HTTP/1.0
Sec-Fetch-Mode: cors
Content-Length: 12
Referer: http://localhost:19070/WebGoat/start.mvc
Sec-Fetch-Site: same-origin
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=E79F7E4EB8687A265010C5940CD0FF7D; jenkins-timestamper-offset=14400000; hudson_auto_refresh=true; JSESSIONID.138869cf=node01sk0d9c6p3gx3lr4k1xmwvmfh2.node0; JSESSIONID.18d0255b=node0utcnf3p6v7w7195o0jglxmtbd0.node0; screenResolution=1680x1050; JSESSIONID.ced8248f=node01dfc137dvgdy91ly9lwm4e7b180.node0
Origin: http://localhost:19070
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Accept: /
Host: localhost:19070
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
account=test
References
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet