Dates
Tests: Between February 17 and 19, 2024
Reporting: February 20, 2024
CVE Request: April 05, 2024
Publication of vulnerabilities: 02 July 2024 (after validation by ESKOOLY)
I've always been passionate about cybersecurity, and this weekend of February 17 and 18, I had the opportunity to put my skills into practice outside my day job. A friend had asked me to check the security of a free school management application he'd found, called Eskooly. His main concern was the application's security, in particular the possibility of students stealing information or modifying their grades.
I liked the idea right away. A cyberseurity challenge was exactly what I needed. So I decided to spend my weekend to the task.
To get started, I used several well-known automated tools in the cybersecurity field:
BURP (see the tutorial in Capsule 3): A tool for testing web vulnerabilities.
NMAP: A port and service scanner.
SQLMAP: A tool for detecting and exploiting SQL vulnerabilities.
These tools enabled me to save time by automating some of the security testing. However, automation has its limits, and it is often necessary to add a layer of manual testing to discover more complex vulnerabilities.
After several hours of testing, I began to find some interesting vulnerabilities. Among the critical vulnerabilities discovered, here are a few examples:
SQL Injection: This flaw made it possible to interfere with the application's SQL queries, potentially giving access to the entire database.
Broken Authentication: Lack of account locking policy after several failed login attempts, opening the door to brute-force attacks.
Cross-site scripting (XSS): Allowed the injection of malicious scripts into web pages viewed by other users, compromising their accounts.
Incorrect configuration of security headers: Several security headers essential for protecting the application against various attacks were missing.
These vulnerabilities exposed critical information such as platform users' unencrypted logins and passwords, posing a major security risk.
On February 20, I wrote a full PENTEST report detailing all the vulnerabilities discovered and recommendations for correcting them. This report was sent directly to the Eskooly vendor.
The vendor contacted me the next day, February 21, to discuss the findings. He accepted the report and asked for my help in resolving the issues identified.
On April 5, 2024, the discovered vulnerabilities were published on the MITRE CVE platform. Since then, we've been working closely together to improve the application's security. On July 2, 2024, the supplier gave me the go-ahead to publish these findings, enabling the CVEs to be validated and officially published.
It was a rewarding experience to dive into this security project, discover critical vulnerabilities, and work with the vendor to fix them. In the following articles, we'll explore in more detail how these vulnerabilities were found, exploited and, most importantly, how to remedy them.