Vulnerability Testing Report

1. Vulnerability: Malicious File Upload and Execution:

Description:
Code vulnerable to remote file inclusion (RFI) allows attackers to include
hostile code and data, resulting in devastating attacks, such as total server compromise.
Malicious file execution attacks affect PHP, XML and any framework which accepts
filenames or files from users.

Risk Rating:
Severe

Complexity of Attack:
Easy

Impact:
Whole application server can be compromised.

Test Cases:

Valid file format: pdf, flv

Valid file size: 2 MB

Valid Image format: jpg,jpeg,png,gif

Valid Image size: 1 MB

Filename validation Regular Expression: “^[a-zA-Z0-9_]+\.[a-zA-Z]+$”

S.No. Execution step Outcome result Result of

Execution step

1. In add new drop User got the error Pass

down choose add message indicates
file option and Please upload the
choose the html file file in valid format.
for upload and click
on upload button
2. In add new drop User got the error Pass
down choose add message indicates
file option and Please upload the
choose the exe file file in valid format.
for upload and click
on upload button

3. In add new drop File Successfully Pass

down choose add uploaded on server
file option and
choose the PDF file
for upload with size
less than 2MB and
click on upload
button

4. In add new drop Displaying error Pass

down choose add message validation
file option and failed(Size greater
choose the valid
that 2 MB)
file format file for
upload with size 5
MB and click on
upload button

5. In add new drop Displaying error Pass

down choose add message(Upload
file option and Tried the file in valid
to upload the file in
format).
valid format with
size less than 2MB
with special
characters,more
than one dot
symbol and
metacharacters in
file name

6. In add new drop Displaying error Pass

down choose add message (Upload
image option and the image in valid
tried to upload the format)
image in invalid
format
7. In add new drop Displaying error Pass
down choose add message validation
image option and failed(Size greater
tried to upload the
that 1MB)
image in valid
format with size
more than 1 MB

8. In add new drop Image successfully Pass

down choose add uploaded in the
image option and server
tried to upload the
image in valid
format with size
less than 1 MB

9. In add new drop Displaying error Pass

down choose add message (Upload
file option and Tried the image in valid
to upload the image
format)
in valid format with
size less than 1MB
with special
characters,more
than one dot
symbol and
metacharacters in
file name

Solutions:

Recommended Solution Implemented

Application should check allowed File Yes

extension and File type (MIME Type) in
the upload module using white-list filter at
server side.

File to be uploaded should be restricted to Yes

a particular size.
 Server side check for not allowing long Yes
filename with double extension/double
dot(.)/null byte(%00)/metacharacters.

Client side and server side validation Yes

should be implemented for checking the
file extensions, content type and it should
be restricted to particular size. Server
side
validation is mandatory.

Conclusion:
All the recommended solutions for checking the file extensions, file content types
and file size implemented .

2.Vulnerability: Broken Authentication and Session Management:

Description:
Application functions related to authentication and session management
are often not implemented correctly, allowing attackers to compromise passwords, keys,
session tokens, or exploit other implementation flaws to assume other users‟ identities.

Risk Rating:
Severe

Complexity of attack:
Average

Impact:
Such flaws may allow some or even all accounts to be attacked. Once
successful, the attacker can do anything the victim could do. Privileged accounts are
frequently targeted.
 Test Cases:

S.No Execution Step Outcome result Result of

Execution step

1. Login in to the User is able to start Pass

portal and copy the the session on
session cookie another browser
value then open the
new browser on
same machine or
some other
machine and paste
the earlier copied
cookie value into
that browser

2. Now user logout User session in still Fail

from site in one available on second (User session
browser browser that means should be expired
Plone is on all the browsers)
maintaining the
session on client
side

3. Log in with User is not able to Pass

abhisharma@cdac.i see the
n credentials into authenticated
the portal and open personal
the personal information page
information form after logout
and then click on
logout option and
after that click on
browser back
button

4. Log in with User is not able to Pass

member@cdac.in see the My
credentials into the contributions page
portal and open the after logout
My contributions
page and then click
on logout option
and after that click
 on browser back
button

5. Log in with User is not able to Pass

member@cdac.in see the Dashboard
credentials into the page after logout
portal and open the
Dashboard page
and then click on
logout option and
after that click on
browser back
button

6. Log in with User is not able to Pass

member@cdac.in see the
credentials into the Authenticated
portal and open the Change password
Change password form after logout
form and then click
on logout option
and after that click
on browser back
button

7. Log in with User is not able to Pass

indgsna@cdac.in see the
credentials into the Authenticated
portal and open the Moderate
Moderate Comments form
Comments form after logout
and then click on
logout option and
after that click on
browser back
button

8. Log in with User is not able to Pass

indgsna@cdac.in see the Moderate
credentials into the Discussion form
portal and open the after logout
Moderate
Discussions form
and then click on
logout option and
 after that click on
browser back
button

9. Log in with User is not able to Pass

indgsna@cdac.in see the Moderate
credentials into the Members page
portal and open the after logout
Moderate Members
page and then click
on logout option
and after that click
on browser back
button

10. Log in with User is not able to Pass

indgsna@cdac.in see the Moderate
credentials into the Feedbacks page
portal and open the after logout
Moderate
Feedbacks page
and then click on
logout option and
after that click on
browser back
button

11. Log in with User is not able to Pass

indgsna@cdac.in see the Recent
credentials into the items page after
portal and open the logout
Recent items page
and then click on
logout option and
after that click on
browser back
button

12. Log in with User is not able to Pass

indgsna@cdac.in see the review list
credentials into the page after logout
portal and open the
Review list page
and then click on
logout option and
 after that click on
browser back
button

13. Log in with User is not able to Pass

indgsna@cdac.in see the Login
credentials into the attempts page after
portal and open the logout
Login attempts
page and then click
on logout option
and after that click
on browser back
button

14. Log in with User still able to Fail

indgsna@cdac.in see the
credentials into the authenticated
portal and open the Dashboard page
dashboard page
and click on logout
option and then
choose the option
work in offline mode
in browser

3. Vulnerability: Cross Site Request Forgery (CSRF):

Description:
A CSRF attack forces a logged-on victim's browser to send a forged HTTP
request, including the victim‟s session cookie and any other automatically included
authentication information, to a vulnerable web application. This allows the attacker to
force the victim's browser to generate requests the vulnerable application thinks are
legitimate requests from the victim.

Risk Rating:
Moderate

Complexity of attack:
Average
 Impact:
Attackers can cause victims to change any data the victim is allowed to
change or perform any function the victim is authorized to use.

Test Cases:

S.No Execution step Outcome result Result of

Execution of step

1. Tried to upload the User is not able to Pass

html file for upload the HTML
performing CSRF file
attack

2. Tried to perform User got the Pass

CSRF attack on Forbidden error
Dashboard by
changing the
hidden parameter
authenticator
value:

3. Tried to perform User got the Pass

CSRF attack on Forbidden error
Personal
Information page by
changing the
hidden parameter
authenticator value:

4. Tried to perform User got the Pass

CSRF attack on forbidden error
Change your
password form by
changing the
hidden parameter
authenticator value:

5. Tried to perform User got the Pass

CSRF attack on forbidden error
Personal
preferences form
by changing the
 hidden parameter
authenticator value:

6. Tried to perform User got the Pass

CSRF attack on forbidden error
SendTo friend form
by changing the
hidden parameter
authenticator value:

7. Tried to perform User got the Pass

CSRF attack on forbidden error
Moderate Members
form by changing
the hidden
parameter value:

8. Feedback admin All the actions are Pass

page action now performed
over post method

Solutions:

Suggest Solution Implemented

Use a CSRFguard code. A CSRFguard Yes.

code is a server side code that inserts a (Implemented in Most of Plone forms)
hidden random value in the requested
page of a web application. When that
page is submitted to the web server with
some user input, this hidden value is
verified by the CSRFguard code. If the
resubmitted page contains the hidden
value, it is allowed through for processing.
If the hidden value is not present, the
CSRF guard blocks that page with the
user input.

Use POST instead of GET requests. Yes

Even though the attack shown here was
carried out on a POST request; forging
 fake POST requests is much harder than
forging GET
requests.

Conclusion:
1. In almost all the forms CSRFguard code implemented. But in below
mentioned forms it should also be implemented(These all the forms have post request
method ) but still they are dynamic and authenticated forms.

a) Post your suggestion form

b) Newsletter subscription form
c) Content Edit and Add form
d) Add Conversation form
e) Moderate Comments form
f) Moderate Discussion form

2. All the forms request method converted into post method.

4. Vulnerability: Insufficient Transport Layer Protection

Description:
Applications frequently fail to authenticate, encrypt, and protect the
confidentiality and integrity of sensitive network traffic. When they do, they sometimes
support weak algorithms, use expired or invalid certificates, or do not use them
correctly.

Risk rating:
Moderate

Complexity of attack:
Difficult

Impact:
Such flaws expose individual users‟ data and can lead to account theft. If
an admin account was compromised, the entire site could be exposed.
 Test Cases:

S.No Execution Step Outcome result Result of

execution step

1. In Login form after Only encrypted Pass

submitting the values are getting
email and displayed.Can’t get
password trying to email, password
get email id, and cookie over the
password and network.
session cookie if
successfull logged
in using wireshark
at port 443

2. In Change your Only encrypted Pass

password form after values are getting
submitting the displayed
password trying to
get password
value using
wireshark at port
443

Solutions:

Suggested Solution Implemented

At Login page, the password should be Yes, HTTPS will take care of it.
strongly encrypted using salted hashing
before traversing into the LAN.

Use pure hashing where application Yes. (SSHA for password hashing before
generates a new password for the users. storing in to database)

Use SSL/TLS for encrypting all traffic Yes

from and to the web application.

Conclusion:
1. SSHA Hashing has been implemented for password hashing before storing in to
LDAP server.
2. SSL implemented for encryption of all traffic from and to the web applications.