VAPT

REPORT
for testphp.vuln.com
 TABLE OF CONTENTS

1. Disclaimer
2. ASSESSMENT OVERVIEW
2.1. SCOPE
3. Executive summary
4. Detailed findings
4.1.Sqli
4.2.XSS(Cross-site scripting)
4.3.CRYPTOGRAPHIC FAILURE
4.4.OS INJECTION
4.5.Security Misconfiguration
4.6.Vulnerable and Outdated Components
4.7.Information disclosure
 Disclaimer:

This Vulnerability Assessment and Penetration Testing (VAPT) Report is based on security
testing conducted on testphp.vulnweb.com, a purposely vulnerable application provided by
Acunetix for ethical hacking and security research. The findings in this report:

● Are intended solely for educational and research purposes and must not be used for
unauthorized testing on real-world applications.
● Do not reflect vulnerabilities in live production environments.
● Are specific to the test environment and may not accurately represent real-world
security threats.
● Are not meant for malicious activities but should be used to enhance security
awareness and best practices.
● Do not imply any endorsement or security validation from Acunetix or any third party.

Neither the testers nor the organization bear responsibility for any misuse or unauthorized
testing beyond the testphp.vulnweb.com environment.
 ASSESSMENT OVERVIEW

Vulnerability Levels Description

Critical Exploitation of the vulnerability may result in

complete compromise of the Database server
or Application server. It can have a major
impact on business. (CVSS Score- 9.0-10)

High Exploitation of the vulnerability may result in

complete compromise of the Application /
disclosure of sensitive information.
Vulnerability is easily exploitable. (CVSS
Score- 7.0-8.9)

Medium Exploitation of the vulnerability may result in

some control on the Application / disclosure
of semi-sensitive information. Exploitation of
this vulnerability is possible but difficult.
(CVSS Score- 4.0-6.9)

Low Exploitation of the vulnerability may result in

little or no impact on the application /
disclosure of less sensitive information.
Exploitation of this vulnerability is extremely
difficult. (CVSS Score- 0.0-3.9)

Informational The informational risk level indicates that

 some functionality or component is missing
best practices implementation in the
application. Such vulnerability may not have a
risk associated with it currently, but it may
become vulnerability in future due to change
in application or due to exploiting techniques
evolution or policy/legal requirements. The
vulnerability mitigation depends upon owner
decision; however, it is recommended to be
mitigated if it not in line with the policy or law.

SCOPE:
Web Application: testphp.vulnweb.com
Common Web Vulnerabilities:

● SQL Injection (SQLi)

● Cross-Site Scripting (XSS)
● Security Misconfigurations
● Information Disclosure
● Broken Authentication
● Insecure Direct Object References (IDOR)
● Cross-Site Request Forgery (CSRF)
● Server-Side Request Forgery (SSRF)

Executive summary

CRITICAL HIGH MEDIUM LOW total

2 2 2 2 8

SL. CVSS Vulnerability Type total

NO Score
critical high medium low informational

1 SQL Injection (SQLi) 7.0-9.0 1 0 0 0 0 1

2 Cryptographic Failures 7.5-10 0 1 0 0 0 1

3 7.0-9.0 1 1 0 0 0 1
Vulnerable and
Outdated Components
 4 Security 5.0-8.0 0 1 1 0 0 1
Misconfiguration

5 XSS (Cross-Site 4.0-7.0 0 1 0 0 0 1

Scripting)

6 Information Disclosure 4.3-7.0 0 0 1 0 0 1

7 Os cmd injection

Detailed findings

1.Vulnerability Name :SQLi(sql injection)

Vulnerability Rating:

CVSS:

Vulnerability Description:

impact:

proof:
Remediation:

2.Vulnerability Name :XSS(Cross-site scripting)

Vulnerability Rating:High

CVSS:

Vulnerability Description: XSS attacks occur due to improper input

sanitization and can affect any website
that dynamically includes user input
without encoding or validating it properly.

impact:
1. Data Theft & Credential Hijacking
 ● Attackers can steal session
cookies, authentication
tokens, or sensitive user
data.
● This can lead to account
takeovers and unauthorized
access.

2. Phishing & Social Engineering

● Malicious scripts can redirect

users to fake login pages,
tricking them into entering
credentials.
● Attackers can manipulate web
content to deceive users.

3. Defacement & Content

Manipulation

● Attackers can modify

webpage content, inject fake
messages, or display
misleading information.
● This can harm a website's
reputation and cause user
distrust.

4. Malware Distribution &

Exploitation

● XSS can be used to deliver

payloads for other exploits,
such as keyloggers, trojans, or
browser exploits.

5. Exploiting Admin Panels &

Privileged Accounts

● If an administrator executes a
malicious script, the attacker can
gain control over the entire
application.

proof: View guestbook and perform XSS ,we

 can see that it is vulnerable to XSS

Add xss payload to search buttons and

update boxes,we got xss vulnerabilities
here.

Remediation:

View guestbook and perform XSS ,we can see that it is vulnerable to XSS

Add xss payload to search buttons and update boxes,we got xss vulnerabilities here.
1.Vulnerability Name :CRYPTOGRAPHIC FAILURE
Vulnerability Rating:High

CVSS:CVE-2014-0160

Vulnerability Description: The No SSL/TLS vulnerability occurs

when a web application transmits
sensitive data (such as login credentials,
payment details, or personal information)
over unencrypted HTTP instead of a
secure HTTPS connection.

impact: 1.No SSL

Sensitive Data Exposure – Login
credentials, credit card details, and
session tokens can be intercepted.
Man-in-the-Middle (MitM) Attacks –
Attackers can eavesdrop, modify, or inject
malicious content into data streams.
Session Hijacking – Attackers can steal
session cookies and impersonate users.
Phishing & Redirection Attacks –
Attackers can alter content in transit,
leading to malicious redirects.
Loss of User Trust & Compliance
Violations – Non-compliance with
security standards (e.g., GDPR, PCI-
DSS, HIPAA) can lead to penalties.

2.Password transmitted over http

When a website transmits passwords
over unencrypted HTTP instead of
secure HTTPS, user credentials are sent
in plaintext. This exposes sensitive login
data to attackers who can intercept the
traffic using Man-in-the-Middle (MitM)
attacks, network sniffing, or session
hijacking.

proof:

Remediation:
1.Vulnerability Name :OS INJECTION
Vulnerability Rating:Critical

CVSS:CVE-2016-3714

Vulnerability Description: OS Command Injection is a critical security vulnerability that

occurs when an application improperly handles user-supplied
input, allowing an attacker to execute arbitrary system
commands on the underlying operating system

impact: OS Command Injection is one of the most severe web

vulnerabilities, often leading to complete system compromise.

proof:

Remediation: Input Validation:

● Validate and sanitize all user inputs. Ensure that only

expected values are accepted and reject any input
containing dangerous characters (e.g., ;, |, &).

Use Safe APIs:

● Avoid using system calls (e.g., exec(), system()) that

directly execute shell commands. Use safer, higher-level
APIs that don’t invoke the shell (e.g., subprocess.run
in Python).

Escaping User Input:

● If system commands must be used, escape user input to

neutralize any harmful characters or special shell
commands.

Principle of Least Privilege:

 ● Run applications with the least privileges necessary to
perform their functions. This reduces the potential impact
of a successful injection.

Use Allow-Lists:

● Instead of validating inputs, create an allow-list of

acceptable inputs or commands. Reject any input that
doesn’t strictly match the predefined list.

Limit Command Execution:

● Where possible, avoid executing commands directly.

Use alternatives like scripts or predefined actions that do
not rely on user input.

Output Encoding:

● Ensure any output generated by executing commands is

properly encoded or sanitized to prevent the injection of
malicious content.

Regular Security Audits:

● Continuously test your application for vulnerabilities using

automated tools and manual penetration testing.

1.Vulnerability Name :Security Misconfiguration

Vulnerability Rating:low

CVSS:none

Vulnerability Description: The Missing X-FRAME-OPTIONS

Header vulnerability occurs when a web
application does not include the X-
Frame-Options HTTP header. This
header is used to control whether a web
page can be embedded inside a
<frame>, <iframe>, <embed>, or
<object> element, which is crucial for
preventing Clickjacking attacks.

impact: Clickjacking Attacks: Attackers can

embed the page in a hidden frame,
tricking users into performing unintended
 actions.
User Trust Erosion: Users may lose trust
if they realize they’ve been manipulated
through clickjacking attacks.
Privilege Escalation: Attackers may
force users into performing sensitive
actions, such as financial transactions or
account changes.
Security Breach: Information disclosure
or unauthorized actions may occur due to
clickjacking.
Reputation Damage: Reports of
clickjacking incidents could harm the
organization's public image.
Non-Compliance: Failure to prevent
clickjacking may violate security
standards and regulations.

proof:

Remediation: Set X-FRAME-OPTIONS Header:

● Use X-Frame-Options: DENY

or X-Frame-Options:
SAMEORIGIN to block embedding
in frames.

Implement Content Security Policy

(CSP):

● Use frame-ancestors directive

in CSP to restrict framing (e.g.,
Content-Security-Policy:
frame-ancestors 'none';).

Update Web Application:

● Ensure your web application is

updated to include proper headers
in HTTP responses.

Perform Regular Security Audits:

● Conduct regular checks to verify

that proper headers are included
in all responses.
 Educate Development Teams:

● Ensure that web development

teams are aware of the risks and
mitigation methods related to
clickjacking.

1.Vulnerability Name :Vulnerable and Outdated Components

Vulnerability Rating:Critical

CVSS:CVE-2014-0226

Vulnerability Description: 1.Version disclosure refers to the

practice of exposing the version number
of software or components (e.g., web
servers, CMS platforms, or third-party
libraries) through error messages, HTTP
headers, or other responses. Attackers
can exploit this information to identify
known vulnerabilities associated with
that specific version of the software.
2.Perform robots.txt from there we got
nginx version

impact: Exploitation of Known Vulnerabilities:

Attackers can identify and exploit known
vulnerabilities specific to the disclosed
version.
Targeted Attacks: Version details help
attackers craft more precise, effective
attacks.
Vulnerability Enumeration: Attackers
can quickly find and target systems
running outdated or vulnerable versions.
Increased Attack Surface: Version
exposure adds unnecessary information
for attackers, increasing the risk of
exploitation.
Social Engineering: Attackers may use
version details in phishing campaigns,
impersonating vendors or system
administrators.
Evasion of Security Tools: Attackers
may tailor exploits to evade detection by
security measures tailored to specific
 versions.

proof:

Remediation:

1.Vulnerability Name :Information disclosure

Vulnerability Rating:high

CVSS:none

Vulnerability Description: Information Disclosure occurs when

sensitive information such as system
configurations, error messages, code,
database information, or authentication
tokens is unintentionally exposed to
unauthorized users.

impact: Exposure of Sensitive Data: Sensitive

information like passwords, tokens, or
database credentials may be
unintentionally revealed.
Facilitates Targeted Attacks: Attackers
can use disclosed details to identify
specific vulnerabilities and plan targeted
exploits.
System Misconfiguration: Exposed
server or system configurations reveal
potential misconfigurations or weak points
in the system.
Credential Harvesting: Unauthorized
access to exposed credentials, session
tokens, or cookies can lead to account
takeovers.
Privilege Escalation: Disclosure of
access control details may enable
attackers to escalate privileges and gain
unauthorized access.
Reputational Damage: Exposing
sensitive data can harm an organization’s
reputation and trust with users and
clients.
Compliance Violations: Exposed PII or
financial data can violate data protection
laws, leading to legal consequences.

proof: Perform gobuster in cli and find hidden

directories such as;
View page source and search for hidden
datas,we got a email i.e, wvs@gmail.com
and these many pages;(info disclosure)
Visit url/pictures
● /index
● /vendor
● /images
● /admin
● /.idea
● /template

url/vendor
http://testphp.vulnweb.com/vendor/
installed.json
 By visiting this url we can explore many
gmails and names

url/template here we get a 404 error along

with nginx version.

Visit url/ideas and we can see soo many

directories try opening them and find
informations.

Remediation: Limit Error Messages: Customize error

pages to avoid revealing sensitive
information (e.g., stack traces, file paths).
Restrict Access: Use access control
and least privilege principles to ensure
sensitive data is only available to
authorized users.
Disable Directory Listings: Ensure that
directories on the web server cannot be
browsed to prevent the exposure of files.
Encryption: Store and transmit sensitive
data, such as credentials, in encrypted
form.
Use Strong Security Headers:
Implement security headers like Strict-
Transport-Security (HSTS) and Content
Security Policy (CSP) to mitigate risks.