Sample

Web Application Penetration Testing

Report

Platform Web Application

Report as of September 10, 2019

Prepared by Condition Zebra

Sample Web Application Penetration Testing Report

Document Properties

Title Sample Web Application Penetration Testing Report

Version 1.0
Prepared By John Lim
Reviewed By Sam Cheng
Start & End Date 15 - 20 August 2019

Version Control
Version Date Description Author
1.0 10/09/2019 Report generation John Lim

2
Sample Web Application Penetration Testing Report

Table of Contents

DOCUMENT PROPERTIES .................................................................................................................................2

VERSION CONTROL ............................................................................................................................................ 2
TABLE OF CONTENTS........................................................................................................................................3
PENETRATION TESTING GUIDELINES ................................................................................................................4
PENETRATION TESTING PROCESS .......................................................................................................................... 4
PROJECT SCOPE OVERALL RATING IDENTIFICATION .................................................................................................... 4
VULNERABILITY LEVEL DEFINITION ......................................................................................................................... 4
EXECUTIVE SUMMARY .....................................................................................................................................5
SCOPE OF WORK .............................................................................................................................................. 5
OVERVIEW ...................................................................................................................................................... 5
OBSERVATIONS ................................................................................................................................................ 5
SUMMARY OF FINDINGS..................................................................................................................................7
OVERVIEW OF VULNERABILITY .............................................................................................................................. 7
PENETRATION TESTING ON HTTP://10.46.51.82:1007 .....................................................................................8
INFORMATION GATHERING .................................................................................................................................. 8
VULNERABILITY CATEGORY .................................................................................................................................. 8
VULNERABILITY DETAILS ..................................................................................................................................9
Vulnerability 1: SQL Injection .................................................................................................................... 9
Vulnerability 2: Cross-Site Scripting......................................................................................................... 10
Vulnerability 3: Cross-site Request Forgery (CSRF)................................................................................... 12
Vulnerability 4: Clear-text Transmission of Password .............................................................................. 14
Vulnerability 5: Improper Logout .................................................................. Error! Bookmark not defined.
Vulnerability 6: Improper Error Handling ...................................................... Error! Bookmark not defined.
Vulnerability 7: Clickjacking .......................................................................... Error! Bookmark not defined.
Vulnerability 8: Dangerous HTTP Methods Enabled....................................... Error! Bookmark not defined.

3
Sample Web Application Penetration Testing Report

Penetration Testing Guidelines

Penetration Testing Process

Information Gathering
Gathering credentials and other details if Understanding the target technologies and
Gathering target URLs etc.
required environment

Scanning
Automated scanning of target URLs

Vulnerability Analysis
Identifying the target services Manual assessment Analysing the automated reports

Exploitation
Developing proof of concepts Checking the exploitability Exploiting the targets if applicable

Reporting
High level summary Technical details Remediation

Project Scope Overall Rating Identification

Security Level Definition

The system consists of exploitable and/or critical vulnerability that allows an
Poor
attacker to take over the system.
The system consists of high vulnerability that causes serious security threats
Average
to the system and medium vulnerability that exposes system details.
The system consists of medium and low vulnerability that do not have direct
Above Average
impact to the system.
The system consists of none to small amount of low vulnerability with minimal
Good
security impact to the system.

Vulnerability Level Definition

Vulnerability Level Definition CVSS Score

Critical A vulnerability with very high business risk and easy to exploit. 9.0 – 10.0
High A vulnerability with high business risk and difficult to exploit. 7.0 – 8.9
A vulnerability with medium level of business risk and 4.0 – 6.9
Medium
challenging to exploit.
A vulnerability with low business risk and no direct 0.1 – 3.9
Low
exploitation possible.
Table 1: Adapted from https://www.first.org/cvss/specification-document

4
Sample Web Application Penetration Testing Report

Executive Summary

This document records the details of white box penetration testing conducted by Condition Zebra for
Sample’s web application from 15 to 20 August 2019. The purpose of this testing is to identify the
vulnerabilities existed in the Sample’s web application and to propose the remediation to overcome
the vulnerabilities discovered.

Scope of Work
The scope of the white box penetration testing is not limited to the identification of web threats and
checking on Sample’s web application security with the guideline and standards from OWASP, SANS
and WASC.

One (1) URLs given by Sample in order to complete this penetration testing include:

URL
1 http://10.46.51.82:1007

Overview
Condition Zebra has conducted vulnerability scanning and manual penetration testing on Sample’s
web application and the overall security rated as poor. A total number of nineteen (19) vulnerabilities
existed in the Sample’s web application.

Observations
1. All HTTP requests are vulnerable to CSRF. It is recommended to deploy CSRF prevention
mechanism in all html requests.

2. It is possible to enumerate software versions of the following components by navigating to

the affected files / querying the server:

Affected Files Version In Use

http://10.46.51.82:1007/ (Server) Microsoft-IIS/8.5
http://10.46.51.82:1007/permohonan/menu/admi DHTMLMenu Ver:
n/stmenu.js 7.3.70330
http://10.46.51.82:1007/datetimepick/datetimepic My Date Time
ker.js Picker Version:
0.8
http://10.46.51.82:1007/javascripts/jquery-1.2.6.js jQuery 1.2.6
http://10.46.51.82:1007/javascripts/jquery.localscr version 1.2.5
oll-1.2.5.js
http://10.46.51.82:1007/javascripts/jquery.serialSc version 1.2.1
roll-1.2.1.js

5
Sample Web Application Penetration Testing Report

http://10.46.51.82:1007/javascripts/jquery.easing. jQuery Easing v1.3

1.3.js
http://10.46.51.82:1007/javascripts/jquery.scrollTo version 1.3.3
-1.3.3.js

It is recommended to obfuscate such information by either removing them from the

affected files or configure the server banner to not include server information.

6
Sample Web Application Penetration Testing Report

Summary of Findings

Identified Vulnerability on Sample's Web Application

Critical High Medium Low

http://10.46.51.82:1007

0 5 10 15 20

Vulnerability
Target
Critical High Medium Low
http://10.46.51.82:1007 1 10 6 2
1 10 6 2
Total
19

Overview of Vulnerability
No Vulnerability Host Affected Remediation
1 SQL Injection http://10.46.51.82:1007 Use <cfqueryparam> tag
2 Cross-Site Scripting http://10.46.51.82:1007 Sanitize user input by using input
sanitization
3 Cross-site Request Forgery http://10.46.51.82:1007 Make use of a challenge token (Anti-
(CSRF) CSRF Tokens)
4 Clear-Text Transmission of http://10.46.51.82:1007 Apply transport-level encryption
Password (SSL or TLS)
5 Improper Logout http://10.46.51.82:1007 Ensure that the session expires
upon logout
6 Improper Error Handling http://10.46.51.82:1007 Enable proper error handling with
custom / generic error messages
7 Clickjacking http://10.46.51.82:1007 Sending the proper X-Frame-
Options HTTP response headers
8 Dangerous HTTP Methods http://10.46.51.82:1007 Disable all affected methods on the
Enabled web server configuration file

7
Sample Web Application Penetration Testing Report

Penetration Testing on http: //10.46.51.82:1007

Information Gathering
Server -
Details IP Address: 10.46.51.82
Programming Language: CFML
Web Framework: Adobe ColdFusion

Identified Vulnerability on
http://10.46.51.82:1007
Low
Critical
6%
5%

Critical
High
Medium
33% Medium

High Low
56%

Vulnerability Category
Vulnerability
Target
Critical High Medium Low
http://10.46.51.82:1007 1 10 6 2
Total 19

No Critical Vulnerability Quantity

1 SQL Injection 1

No High Vulnerability Quantity

1 Cross-Site Scripting 8
2 Cross-site Request Forgery (CSRF) 1
3 Clear-Text Transmission of Password 1

No Medium Vulnerability Quantity

1 Improper Logout 1
2 Improper Error Handling 5

No Low Vulnerability Quantity

1 Clickjacking 1
2 Dangerous HTTP Methods Enabled 1

8
Sample Web Application Penetration Testing Report

Vulnerability Details

Vulnerability 1: SQL Injection

Description:
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL
statements that control a web application’s database server.

Instances:
Page Affected Parameter Payload
http://10.46.51.82:1 /permohonan/ id act=kemaskini_pengumuman&id=3 AND
007 query_umum.c 2562=CTXSYS.DRITHSX.SN(2562,(CHR(113)||CH
fm?act=kemask R(118)||CHR(107)||CHR(112)||CHR(113)||(SEL
ini_pengumum ECT (CASE WHEN (2562=2562) THEN 1 ELSE 0
END) FROM
an&id=3
DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR
(107)||CHR(113)))

Risk Rating:
Severity: Critical
CVSS: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Steps to Reproduce:

i. Open the link on web browser:

http://10.46.51.82:1007/permohonan/query_umum.cfm?act=kemaskini_pengumuman&id=3

ii. Insert the (‘) at the id parameter and run it.

iii. Check the error result.

Proof of Concept:

9
Sample Web Application Penetration Testing Report

Impact/Consequence:
An attacker can successfully gain access to the database and execute arbitrary commands,
perform CRUD database actions or remotely compromise the target by exploiting this
vulnerability.

Remediation:
Sanitize user inputs before using them to construct a SQL Query. Use the cfqueryparam tag so
the data type of the input is assured.

Please refer https://www.adobe.com/devnet/coldfusion/articles/sql_injection.html, for

additional information.

References:
https://cwe.mitre.org/data/definitions/89.html
http://projects.webappsec.org/w/page/13246963/SQL%20Injection

Vulnerability 2: Cross-Site Scripting

Description:
Reflected cross-site scripting (XSS) occurs when an attacker injects browser executable code
within a single HTTP response. The script will be triggered whenever a victim loads the page
through a malicious URL given by an attacker. With this attack, sensitive information such as
cookies information can be transferred without any notification.

Instances:
Page Affected Parameter Payload

10
Sample Web Application Penetration Testing Report

http://10.46.51.82:1007 /permohonan/mohon_t4 ting "><iframe

_senarai.cfm?CFID=43429 src="http://10.46.51.82:1007/"
3&CFTOKEN=372476a918 onload=prompt(1234)></iframe>
f00b4b-F1440547-5056-
A237-383A6389732E7880
/permohonan/query_um Keterangan "><iframe
um.cfm?act=kemaskini_p src="http://10.46.51.82:1007/"
engumuman&id=2 onload=prompt(1234)></iframe>
/query_umum.cfm?act=k Keterangan "><iframe
emaskini_pengumuman& src="http://10.46.51.82:1007/"
id=1 onload=prompt(1234)></iframe>
/permohonan/list_all_mo ket_murid, "><iframe
hon1.cfm?ting=1 negeri src="http://10.46.51.82:1007/"
onload=prompt(1234)></iframe>
/permohonan/list_all_mo ket_murid "><iframe
hon4.cfm?ting=4 src="http://10.46.51.82:1007/"
onload=prompt(1234)></iframe>
/penawaran/saringan_se kod_jurusa "><iframe
narai_sek.cfm n src="http://10.46.51.82:1007/"
onload=prompt(1234)></iframe>
/penawaran/saringan_isi no_kp "><iframe
_markah.cfm?no_kp=030 src="http://10.46.51.82:1007/"
417121092 onload=prompt(1234)></iframe>
/permohonan/ttpnsql.cf Kekacang "></textarea> <iframe
m src="http://10.46.51.82:1007/"
onload=prompt(1234)></iframe>

Risk Rating:
Severity: High
CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Steps to Reproduce:
i. Browse to the following URL :

http://10.46.51.82:1007/penawaran/saringan_isi_markah.cfm?no_kp=03041712

ii. Modify the affected parameter value of the URL with the following payload:

"><iframe src="http://10.46.51.82:1007/" onload=prompt(1234)></iframe>

iii. Observe if an alert box pops up.

Proof of Concept:

11
Sample Web Application Penetration Testing Report

Impact/Consequence:
After successful attack a malicious user can perform a variety of actions: steal user's cookies,
modify webpage contents, and perform operations with the site within user's session (XSS
proxy).

Remediation:
• Sanitize user input by using input sanitization.
• Output encoding.

Please refer to https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-

functions/functions-e-g/encodeforhtml.html for further information.

Reference:
https://cwe.mitre.org/data/definitions/79.html
http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Vulnerability 3: Cross-site Request Forgery (CSRF)

Description:
The web page able to be manipulate the user profile and by loading a customized html file with
input value that the stacker wanted to change and forcing an end user to execute unwanted
actions on a web application in which they're currently authenticated.

Instances:
Page Affected
http://10.46.51.82:1007 /permohonan/query_umum.cfm?act=kemaskini_pengumuman&id=1

Risk Rating:
Severity: High
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

Steps to Reproduce:

12
Sample Web Application Penetration Testing Report

i. Save the codes below as HTML and open HTML file in browser (Browser should be
logged in already as Admin bukan pelulus).

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="http://10.46.51.82:1007/permohonan/query_umum.cfm?act=kemaskini_
pengumuman&id=1" method="POST">
<input type="hidden" name="ik&#95;terkini" value="ik&#95;terkini"
/>
<input type="hidden" name="keterangan" value="CSRF" />
<input type="hidden" name="KEMASKINI" value="KEMASKINI" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

ii. Click on Submit request to change associated user status.

Proof of Concept:

Remarks: Here, CSRF code executed successfully.

Impact/Consequence:
The attack will be able to take over the user account and the user won’t be able to get back
their account again if the attacker changed the email.

Remediation:
Make use of a challenge token (Anti-CSRF Tokens) that is associated with a particular user and
can be found as a hidden value in every state changing form which is present on the web
application. This token, called a CSRF Token or a Synchronizer Token, works as follows:
 The web server generates a token.
 The token is statically set as a hidden input on the protected form.
 The form is submitted by the user.
 The token is included in the POST data.

13
Sample Web Application Penetration Testing Report

 The web application compares the token generated by the web application with the token
sent in through the request.
 If these tokens match, the request is valid, as it has been sent through the actual form in
the web application.
 If there is no match, the request will be considered as illegal and will be rejected.

Reference:
https://en.wikipedia.org/wiki/Cross-site_request_forgery

Vulnerability 4: Clear-text Transmission of Password

Description:
The transmission of password in a clear text form which can be viewable.

Instances:
Page Affected
http://10.46.51.82:1007 /

Risk Rating:
Severity: High
CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Steps to Reproduce:
i. Use Wireshark and capture traffic while credentials submission.
ii. Analyze captured packet for credentials.

Proof of Concept:

Impact/Consequence:
Attacker can perform the Man-in-The-Middle attack to sniff the credentials from the network
and use it for further attack against the target.

Remediation:
Encrypt the password with reliable encryption scheme. Apply transport-level encryption (SSL or
TLS) to protect all sensitive communications passing between the client and the server.

14
Sample Web Application Penetration Testing Report

Please refer to http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-

website/ for information.

Reference:
https://cwe.mitre.org/data/definitions/319.html
https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
https://security.berkeley.edu/data-encryption-transit-guideline

End of Report

15