Security Audit - Thomas More

In this project, I will discuss the results of our recent security audit project, which was conducted as a part of my studies at Thomas More. The purpose of the audit was to assess the cybersecurity of a cloud-based solution, used by various institutions. The goal of the audit was to identify potential vulnerabilities and security weaknesses in the platform and to provide recommendations for improvement. Through this audit, we aimed to ensure the safety and security of the users personal data.

Methodology

The security audit was conducted using manual testing. Our primary method of testing was using web browsers to manually interact with the platform and observe its behavior.

The scope of the audit was limited to the web-based version of the platform and did not include any other related systems or infrastructure. We focused on identifying vulnerabilities related to the confidentiality, integrity, and availability of user data.

It's worth noting that, as with any security audit, there may be limitations and assumptions that could have an impact on the results. This includes the possibility that some vulnerabilities may not have been identified and that the recommendations provided may not be exhaustive.

Vulnerabilities identified

During the security audit, we identified two vulnerabilities that could potentially impact the confidentiality, integrity, and availability of user data.

Insecure Direct Object Reference (IDOR)

An Insecure Direct Object Reference (IDOR) is a vulnerability that occurs when an application's access controls or authorization mechanisms are insufficiently implemented. It allows an attacker to access or manipulate data by directly referencing internal implementation objects or identifiers, such as database keys or file names, without proper authorization.

Typically, in a secure application, access to sensitive data or resources is controlled through some form of authentication and authorization mechanisms. These mechanisms ensure that users can only access the data or resources they are authorized to access.

However, in the case of an IDOR vulnerability, the application fails to properly validate or enforce these access controls. As a result, an attacker can bypass the intended restrictions and directly reference internal objects or identifiers to gain unauthorized access to sensitive information or perform actions they shouldn't be able to.

For example, let's consider a scenario where a web application displays student records based on a user's input. The application should only show the records that the user has permission to access, such as their own records. However, if the application does not properly validate the user's authorization level, an attacker could manipulate the request parameters or URLs to access the records of other students or privileged users.

By exploiting an IDOR vulnerability, an attacker can potentially gain access to sensitive data, manipulate information, escalate privileges, or perform other unauthorized actions within the application. This can lead to data breaches, privacy violations, unauthorized modifications, or other security-related consequences.

To mitigate IDOR vulnerabilities, it is important for applications to implement proper access controls, validate user permissions and authorization levels, and enforce restrictions on accessing sensitive data or resources. Regular security assessments and thorough testing can help identify and address these vulnerabilities before they can be exploited by malicious actors.

The vulnerability allowed unauthorized access to sensitive information, including student rosters, individual study programs, exam rosters, and personal information.

We found this vulnerability after playing around with the URL parameters that were included in the page response. We could also retrieve this data through the ICS calendar feeds.

By exploiting this vulnerability, an attacker could view data that should be restricted to specific individuals or roles. It's fortunate that the builders of the timetable SaaS solution addressed this vulnerability after it was reported, which helps to protect the confidentiality and privacy of the affected data.

Open redirect in SSO implementation

An open redirect is a vulnerability that exists in web applications and occurs when a website or application redirects a user to a target URL specified in an unvalidated or user-supplied parameter. This can be exploited by attackers to redirect users to malicious or unauthorized websites, potentially leading to various security risks.

The vulnerability arises when the application fails to properly validate or sanitize the user-supplied input used to construct the redirect URL. Typically, a legitimate web application uses redirect functionality to send users to different pages or external websites for various purposes, such as after a successful login or upon clicking a specific link.

However, in the case of an open redirect vulnerability, an attacker can manipulate the redirect URL parameter to include a malicious or unauthorized destination. For example, an attacker could craft a URL that appears to be legitimate but actually points to a phishing website, a malicious download, or a page designed to exploit a user's trust or perform unauthorized actions.

To make the attack convincing, attackers often leverage trusted domains or well-known websites in the URL, making it appear legitimate to unsuspecting users. They may use techniques like URL encoding or obfuscation to disguise the true destination.

The consequences of an open redirect vulnerability can include phishing attacks, where users are tricked into providing sensitive information on fraudulent websites, or the execution of other malicious actions on the user's device.

To mitigate open redirect vulnerabilities, it is important for web applications to implement proper input validation and sanitization techniques to ensure that the redirect URLs are trusted and authorized. Developers should validate and restrict the redirect destinations to known, safe, and authorized URLs. Additionally, user awareness and education can help users recognize and avoid clicking on suspicious or unverified links.

The vulnerability in the single sign-on (SSO) implementation of Thomas More / KU Leuven allowed for open redirects, which can lead to various issues. In our proof-of-concept, we demonstrated that this vulnerability could potentially be used to take over a lecturer's browser session and manipulate grades of other students.

This poses a serious threat to the integrity of academic records and the overall trust in the system. It's important that this vulnerability is addressed promptly by the responsible parties to prevent any potential abuse or unauthorized access.

Because this issue has not been resolved yet, we cannot safely share how we found this vulnerability and how we could exploit this.

Conclusion

In summary, the security audit identified several vulnerabilities that could potentially impact the confidentiality, integrity, and availability of user data.

It is important to note that the actual impact of the vulnerabilities would depend on the specific circumstances and the attacker's objectives.

The findings of this audit highlight the importance of regularly auditing and securing cloud-based platforms, as well as the importance of user education and security awareness. It also serves as a reminder that similar platforms should also be evaluated for security vulnerabilities, to ensure the protection of their users' data.

Special thanks

I would like to extend a special thank you to a fellow security researcher for the invaluable contribution to this project. The expertise and dedication were phenomenal in identifying the vulnerabilities and conducting this audit, from which I certainly learned a lot.

I would also like to express my gratitude to Thomas More for giving me the opportunity to conduct this project as a part of my studies. This project has provided me with a valuable learning experience and has helped me to develop and improve my cybersecurity skills.