Security Assessment Web Application Security Test Results

Pentesting
Project

 
 
By:
Aaron Webb Dunne – C00247966

1|Page
Security Assessment Web Application Security Test Results

Web Application Security Assessment

_______________________________________________

On-demand security penetration test of;

Xtreme Vulnerable Web Application (XVWA)

15 January – 11 February

_______________________________________________

2|Page
Security Assessment Web Application Security Test Results

Table of Contents

Contents
1 EXECUTIVE SUMMARY:........................................................................................................................................3
1.1 TARGET DESCRIPTION...................................................................................................................................................3
1.2 APPLICATION STATUS...................................................................................................................................................3
1.3 SECURITY TEST SUMMARY...........................................................................................................................................3
1.4 SUMMARY OF FINDINGS................................................................................................................................................4
2 SECURITY TEST:......................................................................................................................................................5
2.1 INTRODUCTION..............................................................................................................................................................5
2.2 OBJECTIVES AND SCOPE................................................................................................................................................5
2.3 TEST CRITERIA..............................................................................................................................................................6
2.3.1 Application(s) tested.....................................................................................................................................6
2.3.2 Dates within which testing took place..........................................................................................................6
2.4 DETAILED FINDINGS AND RECOMMENDATIONS............................................................................................................7
2.5 RANKING RISKS.............................................................................................................................................................7
2.6 DETAILED MAIN FINDINGS AND RECOMMENDATIONS MATRIX...................................................................................9
CROSS SITE SCRIPTING - REFLECTED................................................................................................................................12
OS COMMAND INJECTION..................................................................................................................................................12
CROSS SITE SCRIPTING - STORED......................................................................................................................................12
FILE INCLUSION.................................................................................................................................................................12
SQL INJECTION(BLIND).....................................................................................................................................................13

3|Page
Security Assessment Web Application Security Test Results

1 Executive Summary:

1.1 Target Description

 The target is XVWA a web application written in PHP/MySQL.

1.2 Application Status

The application is owned by @s4n7h0 and @samanL33T and is currently in its finished stage.

1.3 Security Test Summary

A security test of the XVWA web application was performed between 15 January and 11 February 2022
inclusive.

The security tests were performed against a stage environment at the request of coffehut.ie as testing against
the production environment was not permitted. As such any vulnerabilities are reported here without due
consideration as to whether they exist in the corresponding production environment.

The testing concluded that there were 1 high-risk findings, 6 medium-risk finding and 0 low-risk finding(s)
on the web site. The findings have been consolidated for this summary and additional information is contained
within the detailed report.

1.4 Summary of Findings

• Finding 1 – Medium Risk (7/10)

• HTML and javascript can manipulate site, cookies can be stolen

• Finding 2 – Medium Risk (6/10)

• system information can be seen including ip settings, software running and hardware
information

• Finding 3 – Medium Risk (6.5/10)

• cookie can be stolen, and websites can be uploaded or a dangerous link

• Finding 4 – Medium Risk (6.5/10)

• local files can be stolen and viewed

• Finding 5 – Medium Risk (6/10)

• user can be redirected to a potentially dangerous site that could download virus

• Finding 6 – High Risk (8.5/10)

• passwords can be changed without user knowing

• Finding 7 – Medium Risk (7.5/10)

• can hijack session logging in with users account

4|Page
Security Assessment Web Application Security Test Results

2 Security Test:

2.1 Introduction
The intent is to assess these systems security vulnerabilities, which could lead to a compromise of confidential
information or may otherwise damage reputation.
In general, the systems tested can include public facing web applications defenses.
The types of vulnerabilities identified are wide ranging, and can be “built-in” during design, build or support
phases or can be caused by missing patch levels at the application server or operating system levels. The
testing team can also identify security issues in the configuration of firewall and other network perimeter
devices.
Once identified, the team will assess if further exploitation can safely provide any additional meaningful
information or if the extent of the vulnerability has been established. In all cases the recommendations to
identified vulnerabilities is provided so that the identified vulnerabilities can be fixed.
Assessments are usually conducted from the point of view of both an unauthorized attacker and as an
authorized malicious user who may be intent on either elevating their privileges or attacking the application for
other gain.

2.2 Objectives and Scope

The objective of this assignment was to perform controlled attack and penetration activities to assess the
overall level of information privacy, integrity, and security of XVWA web application.
The security test was conducted from the perspective of both an unauthorized attacker and a malicious user.
These tests were conducted between 15 January and 11 February 2022 inclusive, and the security tests have
been conducted within the parameters signed-off in the Agreement of Criteria (outlined in section – Test
Criteria).
The security tests were performed against a stage. As such any vulnerabilities are reported here without due
consideration as to whether they exist in the corresponding production environment.

5|Page
Security Assessment Web Application Security Test Results

2.3 Test Criteria

The following is the criteria that was assessed

2.3.1 Application(s) tested

URL Environment Owner

1 https:// XVWA - Xtreme Vulnerable Web Test application on Stage @s4n7h0

Application server @samanL33T

2.3.2 Dates within which testing took place

Date Additional Information

From To

27 January 2022 10 February 2022 Network Scanning

Scanning tests will be conducted during the specified dates
and times. These tests are used to establish the scope of the
overall test. Scans to be conducted include;
• Application Scanning
• Port scanning of firewall(s)
• Identification of type
15 January 2022 26 January 2022 Attack & Penetration
Attack and Penetration testing conducted during the
specified dates and times.
This will include looking for specific vulnerabilities
including;
• Exploitation of HTTP
• Authentication Exploitation
• Directory Traversal
• Session Replay Attack
• Session Hijacking
 File inclusion
 SQL Injection
 SQL Injection (Blind)
 Redirects and Forwards
 XSS Reflective
 XSS Stored
 XSS DOM
 CSRF

6|Page
Security Assessment Web Application Security Test Results
2.4 Detailed Findings and Recommendations
The following section specifically illustrates the findings and recommendations that should be implemented to better secure and control the application. As
with all recommendations that affect computer systems and production processing, these recommendations should be tested during non-production hours
prior to their implementation. It is also prudent to have a full-system backup prior to implementing system changes.

2.5 Ranking Risks

The testing team initially ranks the vulnerabilities in turn to establish an overall threat perspective. This is done using a variation of the Microsoft D.R.E.A.D.
formulation. Once the threat has been identified, the result is ranked as either a high, medium or low risk. This is based upon the risk they pose to the web
application Xtreme Vulnerable Web Application (XVWA). Please note that each of the vulnerabilities is ranked in isolation to determine whether the
system would be vulnerable if other security measures and configurations were not in place. Reference the following tables for definitions of the risk ranking
process:

Risk Rating Threat

0.0 Observation

0.1 - 4.0 Low Risk

4.1 - 8.0 Medium Risk

8.1 - 10.0 High Risk

7|Page
Security Assessment Web Application Security Test Results
Score 0–2 3–4 5-6 7-8 9 - 10

Damage Potential Trivial information about Significant information Extended or increased Full control of the Full compromise of Network
the target disclosed. about the target functional control of the application and/or the ability or Database Infrastructure.
Trivial cost associated architecture and/or application and/or underlying to view underlying network Extensive cost associated
with impact application disclosed. system. Moderate cost or database infrastructure. with impact
Limited cost associated associated with impact Large cost associated with
with impact impact

Reproducibility Very difficult to Difficult to reproduce Moderately difficult to Easy to reproduce (within 5 Very easy to reproduce (30
reproduce (more than 24 (within 24 hours) reproduce (within 2 hours) minutes) seconds or less)
hours)

Exploitability Seasoned security skills Extensive skills and tools Moderate skills and tools limited skills and tools No skill or tools required
and/or specialised tools required required required
required

Affected Users Very small limited user Small user group (100 - Moderate user group (between Large user group (between Open to the general Internet
group (under 100) 1,000) 1,000 - 5,000) 5,000 - 20,000) with no authentication or
very large group requiring
authentication (20,000++)

Discoverability Very difficult to find Difficult to find (within 24 Moderate effort required to Easily found (within 2 hour) Very easily found (within 1
(over 24 hours) hours) find (within 4 hours) hour)

8|Page
Security Assessment Web Application Security Test Results
2.6 Detailed Main Findings and Recommendations Matrix
The following matrix outlines the main findings from the testing that was conducted.
D.R.E.A.D Threat Rating (out of 10)

40% 5% 10% 40% 5% 100%

D R E A D Total
Damage Potential

Reproducibility

Discoverability
Affected Users
Exploitability
No Finding / Description/ Impact Recommendations for Improvement

1. X s s - r e f l e c t e d  Filter input on arrival – filter strictly as

possible,only what is expected.
 Encode data on output

7 7 7 6 8 7 M

2. O S C o m m a n d  Avoid calling OS commands directly

I n j e c t i o n  Input validation
 Escape commands
 Apps rub on lowest privileges required
 Isolate accounts so can be used for one task

6 7 6 5 5 6 M

9|Page
Security Assessment Web Application Security Test Results
D.R.E.A.D Threat Rating (out of 10)

3. X s s - S t o r e d  Use correct response headers

 Use content security policy – reduces severity of
XSS vulnerabilities
7 6 7 6

8 6.5 M

4. F i l e i n c l u s i o n  Assign IDs to file paths only these will show not

full path
7 6 6 5 7
 Use whitelisting
 Use database not files 6.5 M
No Finding / Description/ Impact Recommendations for Improvement

5. R e d i r e c t s  Use web application firewall

6 6 7 5 6
 Use auto website scanner 6.0 M

6. C S R F  Use CSRF token

 Double submit cookie prevention
 Same site cookie prevention 8 7 9 8 8
 Custom request header

8.5 H

7. S e s s i o n  Use HTTPs
h i j a c k i n g  Use HTTPOnly
8 7 8 6 7
 Session management and key
 Identity verification 7.5 M

10 | P a g e
Security Assessment Web Application Security Test Results

2.7 Attacks performed and findings

Date Attack Result

Cross Site Scripting - reflected The site is vulnerable to xss as html and javascript can
be
16 January
2022 Used to maniplate site

Finding: user cookies can be stolen

OS command injection The site is vulnerable to os command injection

17 January 2022 Using the command 127.0.0.1 | dir directory
information
Was revealed and host system information
127.0.0.1 | systeminfo gives out all info on the
system running

18 January 2022 When entering <script>alert("This is a XSS Exploit

Test")</script> a text alert box appears

PHPSESSID=m1u4k1mpo8kqmg96576tv77emo

<script>alert(document.cookie)</script>

Cookie is vulnerable using this command

Cross Site Scripting - stored <iframe src="http://www.cnn.com"></iframe>

Website was uploaded under message.

xvwa/vulnerabilities/fi/?file=index.php
24 January 2022 File inclusion local file inclusion works as an attack as index.php
is shown on the website
remote files wont work until server setting
changed
note:
if allow_url_include Is set to on this would work.

11 | P a g e
Security Assessment Web Application Security Test Results

27 January 2022
SQL injection(blind)

31 January 2022 Redirects and Forwards <a

href="redirect.php?forward=https://www.owasp.org">
Open Web Application Security Project</a>

In this attack the url can be changed so the user can be

redirected to another link like a dangerous site or
download in this google.com

<a
href="redirect.php?forward=https://google.com">Open
Web Application Security Project</a>

CSRF
2 February 2022 /xvwa/vulnerabilities/csrf/?
passwd=1234&confirm=1234&submit=submit

If new url was used it would change the password with

out user knowing

/xvwa/vulnerabilities/csrf/?
passwd=123&confirm=123&submit=submit

The session token found through xss

3 February Session Flaw – session hijacking
2022 m1u4k1mpo8kqmg96576tv77emo

the session is fixed

so the token can be used to login into the user that was signed
in , in a private window hijacking the session

12 | P a g e