================================================================================ PUROLATOR ASP.NET CVE PROOF OF CONCEPT - BURP SUITE MANUAL TESTING GUIDE ================================================================================ TARGET INFORMATION -------------------------------------------------------------------------------- URL: https://eshiponline.purolator.com/ShipOnline/SecurePages/Public/FormsLogin.aspx ASP.NET Version: 4.0.30319 (Detected via X-Powered-By header) Vulnerable to: 13 known CVEs (6 Critical, 7 High) TEST CREDENTIALS -------------------------------------------------------------------------------- Email: batchof22spotify@gmail.com Password: d}3V3+:8uOH8I& ================================================================================ BURP SUITE TESTING PROCEDURE ================================================================================ TEST 1: Baseline - Capture Normal Login -------------------------------------------------------------------------------- 1. Open Burp Suite and configure browser proxy 2. Navigate to login page in browser 3. Turn on Burp Intercept 4. Enter credentials and click Login 5. In Burp, right-click request > Send to Repeater 6. Note the following in the request: - __VIEWSTATE parameter (should be 3000+ characters) - __VIEWSTATEGENERATOR - __EVENTVALIDATION - ASP.NET_SessionId cookie Expected: 302 redirect to dashboard if login successful TEST 2: CVE-2021-34532 - ViewState MAC Validation -------------------------------------------------------------------------------- Vulnerability: Information Disclosure via ViewState manipulation CVSS: 9.0 (Critical) Steps: 1. In Burp Repeater, find the __VIEWSTATE parameter 2. Modify the last few characters (corrupt the MAC) Example: Change ...xyz123 to ...abc999 3. Send the request Expected Vulnerable Behavior: - 500 Internal Server Error with stack trace - Error message: 'The state information is invalid...' - MAC validation failure exposes .NET version info Expected Secure Behavior: - Generic error page (what Purolator should show) - No stack trace or version information TEST 3: CVE-2018-8292 - Insecure Deserialization -------------------------------------------------------------------------------- Vulnerability: Remote Code Execution via crafted ViewState CVSS: 9.3 (Critical) Payload (replace __VIEWSTATE value): AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYQUBAAAAJVN5c3RlbS5XZWIuVUkuVHJpcGxlREVTU3RyaW5nRW5jcnlwdG9yAwAAAAhfcHVycG9zZQhfZXhwaXJlcwhfZGF0YQEBAQkCAAAA Steps: 1. Replace __VIEWSTATE with above payload 2. Send request Expected Vulnerable Behavior: - 500 error with deserialization exception - Stack trace showing BinaryFormatter - If truly vulnerable: Could achieve RCE Expected Secure Behavior (Purolator): - 403 Forbidden (blocked by WAF) - Or generic error without details TEST 4: CVE-2020-1147 - XXE Injection -------------------------------------------------------------------------------- Vulnerability: XML External Entity injection CVSS: 7.8 (Critical) Payload (in email field): ]> &xxe; Steps: 1. Find txtEmailAddress parameter 2. Replace value with above XML payload 3. Send request Expected Vulnerable Behavior: - Response contains [fonts], [extensions] (win.ini contents) - File disclosure successful Expected Secure Behavior (Purolator): - 403 Forbidden (WAF blocks XML) TEST 5: SQL Injection - Authentication Bypass -------------------------------------------------------------------------------- Vulnerability: SQL Injection in login Payloads to try in email field: admin'-- ' OR '1'='1'-- admin' OR 1=1-- Expected Vulnerable Behavior: - Login successful without valid password - Or SQL error message in response Expected Secure Behavior (Purolator): - Failed login, no SQL errors - Input sanitized TEST 6: CVE-2023-33170 - Request Validation Bypass -------------------------------------------------------------------------------- Vulnerability: XSS via Unicode encoding CVSS: 8.1 (High) Payload (in email field - URL encoded): %uff1cscript%uff1ealert(document.cookie)%uff1c/script%uff1e Or decoded: Expected Vulnerable Behavior: - Script tag reflected in response without encoding - Could execute in browser Expected Secure Behavior (Purolator): - Input sanitized/encoded - Or WAF blocks request ================================================================================ POC VIDEO RECORDING SCRIPT ================================================================================ INTRODUCTION (30 seconds) -------------------------------------------------------------------------------- "Hi, I'm [Your Name], and today I'm demonstrating security vulnerabilities in Purolator's shipping platform at eshiponline.purolator.com. This is authorized security testing as part of responsible disclosure. I've already reported these findings to Purolator's security team, and they requested a Proof of Concept demonstration." VERSION DETECTION (1 minute) -------------------------------------------------------------------------------- "First, let's identify the technology stack:" [Show in Burp] Response headers show: X-Powered-By: ASP.NET [Run PowerShell] .\check-aspnet-vulns.ps1 "This shows ASP.NET Framework 4.0.30319, which is from 2010. It's affected by 13 known CVEs with CVSS scores up to 9.8." EXPLOITATION DEMO (3-5 minutes) -------------------------------------------------------------------------------- "Now let's demonstrate these vulnerabilities using Burp Suite." Test 1: Normal login to establish baseline [Show login request in Burp, point out ViewState] Test 2: ViewState manipulation (CVE-2021-34532) [Modify ViewState, show response] Test 3: Deserialization attempt (CVE-2018-8292) [Send crafted payload, show WAF blocks it] Test 4: XXE injection (CVE-2020-1147) [Send XML payload, show WAF blocks it] Test 5: SQL injection [Send SQL payload, show response] IMPACT ANALYSIS (1 minute) -------------------------------------------------------------------------------- "While Cloudflare WAF is blocking most exploit attempts, the underlying application framework remains vulnerable. If WAF rules are bypassed or misconfigured, attackers could: - Execute arbitrary code (RCE) - Steal sensitive customer shipping data - Bypass authentication - Gain elevated privileges" REMEDIATION (1 minute) -------------------------------------------------------------------------------- "Recommendations for Purolator: 1. CRITICAL: Update .NET Framework to 4.8.1 or later 2. Apply all Windows security patches 3. Consider migrating to modern .NET 6/7/8 4. Implement defense-in-depth (don't rely solely on WAF) 5. Regular security audits and penetration testing Thank you for watching. All findings have been reported to Purolator's security team through responsible disclosure." ================================================================================ QUICK REFERENCE CARD ================================================================================ Target: eshiponline.purolator.com/ShipOnline/SecurePages/Public/FormsLogin.aspx Creds: batchof22spotify@gmail.com / d}3V3+:8uOH8I& CVE Priority List: 1. CVE-2023-36899 (CVSS 9.8) - Elevation of Privilege 2. CVE-2018-8292 (CVSS 9.3) - RCE via Deserialization 3. CVE-2021-34532 (CVSS 9.0) - Information Disclosure 4. CVE-2020-1147 (CVSS 7.8) - XXE/RCE 5. CVE-2017-8759 (CVSS 7.8) - SOAP WSDL RCE Key Parameters to Test: __VIEWSTATE (Deserialization, MAC validation) txtEmailAddress (SQL injection, XXE, XSS) txtPassword (Command injection) Expected WAF Blocks: ✓ XXE payloads (403) ✓ Deserialization (403) ✓ Command injection (403) Potential Findings: ? ViewState information disclosure ? SQL error messages ? Stack traces on 500 errors ================================================================================ END OF GUIDE ================================================================================