CHAPTER 1

INTRODUCTION

1.1 Owasp Top 10 Vulnerabilities:

1.Injection: Injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur
when an attacker sends untrusted data to an interpreter that is executed as a command without
proper authorisation.
Application security testing can easily detect injection flaws. Developers should use parameterised
queries when coding to prevent injection flaws.

2.Broken Authentication and Session Management: Incorrectly configured user and session
authentication could allow attackers to compromise passwords, keys, or session tokens, or take
control of users’ accounts to assume their identities.
Multi-factor authentication, such as FIDO or dedicated apps, reduces the risk of compromised
accounts.

3.Sensitive Data Exposure: Applications and APIs that don’t properly protect sensitive data such
as financial data, usernames and passwords, or health information, could enable attackers to access
such information to commit fraud or steal identities.
Encryption of data at rest and in transit can help you comply with data protection regulations.

4.XML External Entity: Poorly configured XML processors evaluate external entity references
within XML documents. Attackers can use external entities for attacks including remote code
execution, and to disclose internal files and SMB file shares.
Static application security testing (SAST) can discover this issue by inspecting dependencies and
configuration.

5.Broken Access Control: Improperly configured or missing restrictions on authenticated users

allow them to access unauthorised functionality or data, such as accessing other users’ accounts,
viewing sensitive documents, and modifying data and access rights.
Penetration testing is essential for detecting non-functional access controls; other testing
methods only detect where access controls are missing.
6.Security Misconfiguration: This risk refers to improper implementation of controls intended to
keep application data safe, such as misconfiguration of security headers, error messages containing
sensitive information (information leakage), and not patching or upgrading systems, frameworks,
and components.
Dynamic application security testing (DAST) can detect misconfigurations, such as leaky APIs.

7.Cross-Site Scripting: Cross-site scripting (XSS) flaws give attackers the capability to inject
client-side scripts into the application, for example, to redirect users to malicious websites.
Developer training complements security testing to help programmers prevent cross-site
scripting with best coding best practices, such as encoding data and input validation.

8. Insecure deserialisation: Insecure deserialisation flaws can enable an attacker to execute code
in the application remotely, tamper or delete serialised (written to disk) objects, conduct injection
attacks, and elevate privileges.
Application security tools can detect deserialisation flaws but penetration testing is frequently
needed to validate the problem.

9.Using Components With Known Vulnerabilities: Developers frequently don’t know which
open source and third-party components are in their applications, making it difficult to update
components when new vulnerabilities are discovered. Attackers can exploit an insecure component
to take over the server or steal sensitive data.
Software composition analysis conducted at the same time as static analysis can identify insecure
versions of components.

10. Insufficient Logging and Monitoring: The time to detect a breach is frequently measured in
weeks or months. Insufficient logging and ineffective integration with security incident response
systems allow attackers to pivot to other systems and maintain persistent threats.
Think like an attacker and use pen testing to find out if you have sufficient monitoring; examine
your logs after pen testing.
1.2 PENETRATION TESTING
The main objective of penetration testing is to identify security weaknesses. Penetration testing can
also be used to test an organisation's security policy, its adherence to compliance requirements, its
employees' security awareness and the organisation's ability to identify and respond to security
incidents.

Typically, the information about security weaknesses that are identified or exploited through pen
testing is aggregated and provided to the organisation's IT and network system managers, enabling
them to make strategic decisions and prioritise remediation efforts.

Burp Suite

Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java
and developed by PortSwigger Web Security. The tool has three editions: a Community Edition that
can be downloaded free of charge, a Professional Edition and an Enterprise Edition that can be
purchased after a trial period. The Community edition has significantly reduced functionality. It
intends to provide a comprehensive solution for web application security checks. In addition to basic
functionality, such as Proxy Server, scanner and intruder, the tool also contains more advanced options
such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer.

Damn Vulnerable Web App(Dvwa)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its
main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or
teach the art of web application security.
 CHAPTER: 2

2.1 COMPANY PROFILE & CORPORATE MISSION

SECURIUM FOX offers cyber security consultancy services with its expert and
experienced team. We are providing consulting services to prevent cyber attacks, data leak
and to ensure that our customers are ready and safe against cyber attacks, with more than
15 years of experience.

In addition to pen-tests and consulting services, SECURIUM FOX prepares its customers
and field enthusiasts for real life scenarios by providing trainings in the lab environment
which was prepared by themselves, with its young, dynamic and constantly following
team.

Every-time that hackers are in our lives, there are always risks that we can face with a
cyber attack. Over the years cyber security has become a critical precaution for all
organisations and companies after the effects and number of attacks. SECURIUM FOX
tests the weak points of customers for possible attacks and provides consulting services to
eliminate these weak points.

SECURIUM FOX team also offers support for the development of our country in this field
by supporting free events being organized as a volunteer by the Octosec team.

SECURIUM FOX team have completed more than 100+ projects about Web Application
Penetration Testing for many companies and they make their customers projects more
secure.

If we talk about Web Application Security, there will be some questions: Are you
developing your web applications according to secure software development standards?
Do you know that you may have vulnerabilities on your web application or server? Can
attackers gain access your private area or your server?

We are simulating the cyber attack scenarios that the customer will encounter with many
new generation cyber attack techniques and reports all the precautions the institution has
to take in detail. We are analyzing your all environment such as web applications, web
services, web servers etc. Also we are providing source code

analysis consultancy to our customers for more security. At the same time, we also
provide necessary counseling services for these weaknesses.
2.2 MAIN SERVICES:

Penetration Test Services

“Cyber security experts, who works for SECURIUM FOX, analyze their custormers’
system with a real hacker’s eye and work hard to find all the weaknesses. SECURIUM
FOX Red Team, provides the best solutions for their customers with more than 10 years of
experience. “

Eba Compatible Penetration Tests

The target of cyber attacks is no longer fun , that is money. Recently , The APT attacks on
the banks show us how these attacks damage financial situation and reputation. EBA
(European Banking Authority) published a report to improve the process. According to the
report , the aim of the penetration test is ‘ Detection of security vulnerabilities that could
lead to access to sensitive informations before these are abused’.

SECURIUM FOX has experienced and expert penetration test team. The team does the
tests succesfuly based on BDDK definition and supports customers to solve the problems
that detected.

Penetration tests include:

 Communication Infrastructure and Active Devices

 DNS Services
 Domain and User Computers
 Email Services
 Database Systems
 Web Applications
 Mobile Apps
 Wireless Network Systems
 ATM Systems
 Distributed Dismissal Tests
 Social Engineering Tests



Social Engineering Tests

You may have been provided security in your company via consulting services and
penetration testing services. But another important thing is how your employees on your
company to react to social engineering attacks which are planned and applied by cyber
attackers. The SECURIUM FOX team may test your company to measure information
security awareness of the employees in terms of social engineering.

Scada Penetration Tests

Scada systems (Industrial Control Systems or Central Audit Control and Data Collection)
are important for business continuity. Therefore, The attacks can cause big financial loss
in Scada Systems. The penetration tests ensure that the vulnerabilities are eliminated
before the attacks happened.If you want penetration test specifically for Industrial Control
Systems , you may communicate with us.

Network Penetration Tests

The SECURIUM FOX team can do all of the inventory on your network by doing
Network Penetration Tests that identify vulnerabilities in your network devices, servers,
personal computers and all other inventories. In addition to its expert team, it provides
network penetration testing services to many corporations and private companies.

The team simulates the cyber attack scenarios that the institution will encounter with many
new generation cyber attack techniques before they arrive and reports all the precautions
the institution has to take in detail. At the same time, it also provides necessary counseling
services for these measures.

As SECURIUM FOX team, the services we provide in the field of Network Penetration
Test are as follows.

External Network Penetration Test

We conduct security tests from your external network, completely professional, in

accordance with the standards from the hacker point of view. After the test, we offer
suggestions for possible security weaknesses and solution to close those weaknesses.

Local Network Penetration Testing

What can attackers who access your internal network do? Is your internal network system
really secure? The team of SECURIUM FOX provides local network penetration testing
services with a team of experts who have been involved in network penetration tests for
many years.

Wireless Network Penetration Test

We test the security of your wireless network and the devices connected to your wireless
network.

Red Team Penetration Tests

Are you ready for a real hacker attack? How will your technical team react during and
after the attack? Long-term penetration test is performed in target-focused attacks by
getting informal and external support. SECURIUM FOX Red Team performs attacks like
a real hacker group by using their experiences.

Apt Simulation Attacks

Physical Cyber Security

Mail Gateway Security Test

Load & Stress Test

 CHAPTER 3

TRAINING AND DEVELOPMENT

3.1 TRAINING DETAILS

1. Information Gathering

Information Gathering and getting to know the target systems is the first process in ethical
hacking. Here we are going to gather as much information as we can about the IP of the
target, the technology that is used on the website, the domain name info, which programming
language is used, what kind of server is installed on it, and what kind of database is being
used.

The information gathering tools include:

 Nmap
 Zenmap
 Dnsmap

 Netcraft

2. Foot printing and Reconnaissance

Footprinting is a part of reconnaissance process which is used for gathering possible

information about a target computer system or network.Footprinting is of two types passive
and active such as reviewing a company’s website is an example of passive footprinting and
attempting to gain access to sensitive information through social engineering is active
information gathering.

During this phase, a hacker can collect the following information −

Domain name, IP Addresses, Namespaces, Employee information, Phone numbers, E-mails,

Job Information.

The tools used are:

 Sublist3r
 Theharvester
 Whois Lookup

3. Scanning Networks
Scanning is another essential step, which is necessary, and it refers to the package of
techniques and procedures used to identify hosts, ports, and various services within a
network.Hackers and Pen-testers check for livesystems, openports, Scanning beyond IDS
(Intrusion Detection System), Banner Grabbing, a method for obtaining information
regarding the targeted system on a network and services running on its open ports. Telnet and
ID Serve are the tools used mainly to perform Banner-grabbing attack. This information may
be used by intruders/hackers to portray the lists of applicable exploits, Scan for
vulnerability,Prepare Proxies.

The tools used for scanning are:

 Advanced IPScanner
 NETBIOS enumeration tool
 vega

4. Enumeration

Enumeration is the process of extracting the user names, machine names, network resources,
shares and services from system.The attacker creates an active connection to the system and
performs directed queries to gain more information about the target. The gathered
information is used to identify the vulnerabilities or weak points in system security and tries
to exploit in the System gaining phase.

The tools used are:

 Sparta
 Nikto
 nmap

5. Vulnerability Analysis

It is the process of identifying vulnerabilities in the computer systems, networks, and the
communication channels. It is performed as a part of auditing and also to defend the systems
from further attacks. The vulnerabilities are identified, classified and reported to the
authorities so that necessary measures can be taken to fix them and protect the
organization.Different types of vulnerability assessment scans include:

1. Network-based scans
2. Host-based scans
3. Wireless network scans
 4. Application scans

6.System Hacking

System hacking is defined as the compromise of computer systems and software to gain
access to the target computer and steal or misuse their sensitive information.After
compromising the victim's system, the hacker canruin the victim's data by deleting the files,
Steal files and folders, Hijack victim's username and password, Steal money and credit card
details while the victim is doing e-marketing or online transaction, Sell victim's information
to third parties who may use this information for illicit purposes, Create traffic to shut down
your website.

7. Malware Threats

Malware is malicious software which when enters the target host, gives an attacker full or
limited control over the target. They can either damage or modify the functionalities of target
host helping an attacker to steal or destroy information.Various types of malware are Virus,
Trojans, Worms, and Rootkits.

8. Sniffing

Sniffing is the process of monitoring and capturing all the packets passing through a given
network using sniffing tools.One can sniff the sensitive information from a network such as
Email traffic, FTPpasswords, Webtraffics, Telnetpasswords, Routerconfiguration, Chat
sessions, and DNS traffic.

Tools used are:

 Wireshark

 Tcpdump

 hping

9. Social Engineering

Social engineering is manipulating the users of a computing system into revealing

confidential information that can be used to gain unauthorized access to a computer system.
Some of the social engineering attacks are phishing, tailgating, pretexting, baiting.
10. Denial of Service

Denial of service attack (DOS) is an attack against computer or network which reduces,
restricts or prevents accessibility of its system resources to authorized users.

Types of DOS:

 Syn flooding
 fragmentation attacks
 application layer attacks
 CHAPTER 4

IMPLEMENTATION AND CHALLENGES

This chapter consists of exploitation of one of the vulnerabilities of Damn Vulnerable Web
App, Bugs which are reported in bug bounty and challenges and issues faced during the
internship.

4.1 IMPLEMENTATION

Damn Vulnerable Web App (DVWA)

It is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid
for security professionals to test their skills and tools in a legal environment, help web
developers better understand the processes of securing web applications and aid
teachers/students to teach/learn web application security in a class room environment.

Dvwa – Command Injection

Command injection is an attack in which the goal is execution of arbitrary commands on the
host operating system via a vulnerable application. Command injection attacks are possible
when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to
a system shell. In this attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command injection attacks are
possible largely due to insufficient input validation.

Command Injection Operators

The developer possibly will set filters to obstruct some metacharacter. This would block our
injected data, and thus we need to try out with other metacharacters too, as shown in the
following table:

Operators Description

The semicolon is most common metacharacter used to test an injection flaw.

; The shell would run all the commands in sequence separated by the
semicolon.

& It separates multiple commands on one command line. It runs the first
 command then the second command.

It runs the command following && only if the preceding command is

&&
successful

It runs the command following || only if the preceding command fails. Runs
||(windows) the first command then runs the second command only if the first command
did not complete successfully.

Redirects standard outputs of the first command to standard input of the

|| ( Linux)
second command

The unquoting metacharacter is used to force the shell to interpret and run
‘ the command between the backticks. Following is an example of this
command: Variable= “OS version uname -a” && echo $variable

() It is used to nest commands

# It is used as a command line comment

Steps To Exploit

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS Command Injection

Low

In security level low each and every operator is accepted as shown below in the view
source…

Keep the security level low

Underlying code does not check if $target matches an IP Address. No filtering on special
characters. When you give the ip address or an ip address with any command separated by a
separator in dvwa you can only see the output but you cannot modify it.
In order to modify the output you have send this request to burp suite...

On the intercept in burp suite and resubmit the ip address where the entire request is
intercepted in burp suite then send it to repeater by right clicking.

Now go to repeater as you can see there are two tabs request and response tab.
We call it repeater because we can change the request as many times as we wanted and can
see the response in response tab after clicking go in the top of request tab .

For example here we are changing the request from dir to whoami then u can see the
response is also changed.

You can see the output in the <pre> tag

Medium

In Medium, more filters or other counter measures are added as the security level has been
increased from low to medium some of them were when ever the separator like && or ; has
given it replaces it with null and does not take them as shown in the source view….

Set security level to medium

For example take && which it will replace with null

Then it will show that you have entered an invalid ip

But if we give single pipe,it will accept it

In HIGH, it almost will not take anything but will take a single pipe without space as
shown in the source code..

In IMPOSSIBLE, it will not take anything like command separators or commands it will
take only integers (i.e. ip address) as shown in the source code
Bug Bounty

A bug bounty is a deal offered by many websites, organizations and software

developers by which individuals can receive recognition and compensation [1] for
reporting bugs, especially those pertaining to exploits and vulnerabilities.

Vulnerability Name: Password Token Leak Via Third Party

Vulnerability Description:

Token will be leaked by the Server to that third party site and that token can be used by third
parties to reset the password and take over the account & directly login in your account

Steps To Reproduce:

1) Go to https://account.magento.com/customer/account/forgotpassword/ Form and send reset

password link to your email address.

2)Now go to email, turn burp suite intercept on and click on reset password link. Check for
the requests having the token in referer and host as third party website. And copy the link

3)Now turn intercept off and reset the password.(with that link)

4)Now reset the password.

4.2 CHALLENGES AND ISSUES

It is very challenging to find more and more bugs and vulnerabilities in web
applications and learning in detail about each and every thing.The issues I have faced is
network connection need to stable and the victim should be in the same network.