Penetration Testing Report PDF
Penetration Testing Report PDF
Penetration Testing Report PDF
Company XYZ
Conducted By
MD Anwar Hossain
1
Executive Summary
This penetration testing is conducted completely in the “Black box” manner of the company
XYZ web application.
The following sections provide overview of the vulnerabilities, recommendation and s
As per contract, social engineering and DDos attack out of scope. The engagement didn’t
conduct these.
The rating of the testing. I highly recommend reviewing the section of Summary of business
risks and High-Level Recommendations for better understanding of risks and discovered
security issues.
Grading Criteria:
2
Vulnerability Summary
The test discovered a few vulnerabilities that may cause the broken confidentiality and
integrity of the resources. Identified vulnerabilities easily exploitable by the attacker and
application can be damaged.
No of issues 3 2 3 1 2
Finging Severity
High
FN-04 Account profile can be changed by
attacker from the edit profile section without
interaction with user
3
FN-09 Nuked-Klan index.php Multiple Medium
Module Vulnerabilities
Severity scoring:
● Critical- Immediate threat to key business processes.
● High– Direct threat to key business processes.
● Medium – Indirect threat to key business processes or partial threat to business
processes.
● Low– No direct threat exists. Vulnerability may be exploited using other vulnerabilities.
● Informational – This finding does not indicate vulnerability, but states a comment that
notifies about design flaws and improper implementation that might cause a problem in the
long run.
Scope:
I performed a discovery process to gather information about the assets and search for
information disclosure vulnerabilities.I tested the authentication and authorization, session
management, user input sanitization process. This penetration testing purpose is to mitigate
the weakness of the application,so I recommended the mitigation strategies for improving
the security posture.
4
● Metasploit
● Shodan
● Crt.sh
● Sqlmap
Methodology
I followed the following methodology:
The Open Web Application Security Project is an online community that produces
freely-available articles, methodologies, documentation, tools, and technologies in the
field of web application security. The Open Web Application Security Project provides
free and open resources.
5
Findings Details
FN-01 Database Username and password publicly available in github.
Severity: Critical
Location:
● xyz.com
Issue Description:
Database administrators and developers use credentials for accessing the root user of the
database. They keep the application users' details on the database. If it leaks, companies'
reputation can be hampered.
Proof of vulnerability :
Use google dorking for searching github repositories. One repository has come in the result,
which is the developer private repository. He put the database credentials in the github
repository docker configuration file.
Impact: Hackers can login to the database and dump username and password .
6
FN-02 Information Disclosure via Http response header
Severity: Informational
Location:
● xyz.com
Tools used: Burp suite
Issue description:
Revealing used application versions is risky , if any vulnerability is publicly discovered and
published. It can lead the hacker to check the CVV or CVSS and can compromise the
system.
Proof of vulnerability:
Browse the website and intercept the request by the burp suite. Check the response of the
request. It revealed the version. The version is Apache 2.4.38 which is highlighted.
Recommendation:
The system administrator should show the version of the server.
Issue description:
Open ports provide the attackers with the pathway of compromising the environment. It isn't
immediately vulnerable. But, it becomes dangerous when the services are exploited and
security vulnerabilities are exposed.
7
Proof of vulnerability:
Used the port scanning tools for scanning service and version. Found the ports and services.
Used command :
nmap -sC -sV -oA nmap ip
FN-04 Account profile can be changed by attacker from the edit profile
section without interaction with user
Severity: High
Location:
● xyz.com
8
Issue description:
Account takeover (ATO) or account hijacking is an attack which allows an attacker to gain
the access of the target user.
Proof of vulnerability:
Opened two accounts for checking the vulnerability. One is the victim account and another
one is the attacker.
9
User id shows here. Now change the user_id with the victim user_id. Change the mail
address with one-time mail. The victim account about us section would change.
10
Victim account screenshot attached here.
Recommendation:
Validate user input before validation.
Severity: Low
Location:
● xyz.com
Issue description:
The application appears to trust the user-supplied host header. By supplying a malicious
host header with a password reset request, it may be possible to generate a poisoned
password reset link. Consider testing the host header for classic server-side injection
vulnerabilities. Depending on the configuration of the server and any intervening caching
devices, it may also be possible to use this for cache poisoning attacks.
Proof of vulnerability:
Change the host with evil.com. It reflects on the response. When a user clicks on the link
that redirects to evil.com.
11
Recommendation:
Don’t trust the host header. In case of necessity of using the host header as a mechanism
for identifying the location of the web server, it’s highly advised to make use of a whitelist of
allowed hostnames.
Issue description:
Password reset poisoning is a technique whereby an attacker manipulates a vulnerable
website into generating a password reset link pointing to a domain under their control. This
behavior can be leveraged to steal the secret tokens required to reset arbitrary users'
passwords and, ultimately, compromise their accounts.
12
Proof of vulnerability:
Put the email address in the forgot password option. Send it and intercept the request
through the burp suite. Change the host to an attacker hosted address which is created by
ngrok.
After changing the request forwarded it. The user will get the link and if the user clicks the
link then the attacker will get the password reset token. Attackers can change the password.
13
FN-07 IDOR attack to bypass normal user to super admin
Severity: Critical
Location:
● xyz.com
Issue description:
Insecure Direct Object Reference (called IDOR from here) occurs when an application
exposes a reference to an internal implementation object. Using this way, it reveals the real
identifier and format/pattern used of the element in the storage backend side. The most
common example of it (although is not limited to this one) is a record identifier in a storage
system (database, filesystem and so on).
Proof of vulnerability:
Create a normal user account. Change the edit profile, capture the request through burp
suite. Observe the request and see there is a user_role variable where id is 3. Change the
role_id 3 to 1 and put an email.
14
The role id has been changed in the below picture.
15
Then forward the request , then the user right elevated to the super user.
16
Recommendation:
1. Avoid predictable references.
2. Always validate user requests.
Reference
https://crashtest-security.com/insecure-direct-object-reference-idor/
FN-08 Vulnerable version of Jquery installed JQuery 1.2 < 3.5.0 Multiple XSS
Severity: Medium
Location:
● xyz.com
Issue description:
According to the self-reported version in the script, the version of JQuery hosted on the
remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected
by multiple cross site scripting vulnerabilities.
Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or
the scenarios required for successful exploitation do not exist on devices running a PAN-OS
release.
Proof of vulnerability:
17
Recommendation:
Upgrade to JQuery version 3.5.0 or later.
Issue description:
The instance of Nuked-klan running on the remote web server is affected by multiple
vulnerabilities due to a failure to sanitize user-supplied input to several parameters before
using them in the 'Team', 'News', and 'Liens' modules to display dynamic HTML. An
unauthenticated, remote attacker can exploit these issues to execute arbitrary script code in
a user's browser session.
Additionally, an information disclosure vulnerability exists that allows a remote attacker to
disclose the physical path of the directory in which the application is installed; however,
Nessus did not test for this.
Proof of vulnerability:
Recommendation:
● Patch with the stable version.
Issue description:
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of
cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but
newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used
whenever possible.
18
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer
function properly with major web browsers and major vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS
POI terminals (and the SSL/TLS termination points to which they connect) that can be
verified as not being susceptible to any known exploits.
Proof of vulnerability:
Recommendation:
Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.
19