PENETRATION TESTING REPORT

MENU
VERSIONING
Version Description Staff Date
V0.1 Initial scan and report update Phi Manh Loi 10/01/2021
V0.2 Testing and report update Mai Anh 15/01/2021
V0.3 Reinitial scan and report update Phi Manh Loi 27/02/2021
V0.4 Retesting and report update Mai Anh 01/03/2021
V1.0 QA and Final report Mai Anh 06/03/2021
SCOPE
List of Applications are mentioned in the following table. Testing did not
attempt Denial of Service tests. However, Denial of Service vulnerabilities
inferred from test without active exploitation are reported in this report

WEB APPLICATION SCOPE

No Platforms Package Name Access level
1 Web Application http://techplusgroup.com.vn:33/ Authenticated
DISCLAIMER
Testers have reported on what it has discovered through external penetration
test using indusstry best practices based on PCI Approved Scanning Vendor
(ASV) program guide and Open Web Application Security Project (OWASP)
web application securty and jurisdictional technical requirements. This report
represents tests performed by tester over several days that included but not
limited to active host detection, topology identification, Operating System and
Serrvice finger printing, vulnerability detection and exploit execution when
penetration testing is required. The information presented in this report is not to
be regarded as legal advice. It does not express or imply any guarantee of
compliance with any law or regulation. It is the sole responsibility of the user of
this report to seek comptetent legal counsel for advice with any laws and
regulatory requirements and to otherwise take whatever measures are necessary
for such compliance. Tester assumes no responsibility for any use or misuse of
any information presented in this report.
CAVEATS
- Denial of service
- Buffer overflow exploit
- Brute-force attack resulting in a password lockout
- Excessive usage of available communication bandwidth

TOOL AND SOFTWARE

- Nmap
- OWASP ZAP
- PentestBox
- Metasploit
- Burp suite
Vulnerability Assessment (Score to their CVSS score)
Vulnerability severity levels are based on the National Vulnerability Database
(NVD) and Comon Vulnerability Scoring System (CVSS) version 2 calculator
as follows:
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
CVSS Severity Scan Guidance
score Level Result
Critical vulnerabilities pose a serious threat to
an organization's security and should be fixed
10.0 Critical FAIL immediately. They may provide a total
compromise of the target environment or
similar dangerous impacts.
High-risk vulnerabilities provide a severe risk
to the company environment and should be
7 to
High FAIL corrected promptly. These issues can
9.9
significantly affect the organization's security
posture.
Medium severity vulnerabilities represent a
moderate risk to the environment. They may
4 to
Medium PASS require additional context before remediation
6.9
but should be remediated after critical and
high risks.
Low severity vulnerabilities provide minimal
risk to the target environment, and often
1 to
Low PASS theoretical in nature. Remediation of low
3.9
risks is often a lower priority than other
security hardening techniques.
0 Information PASS Informational
Test Status
Description Date Status
Init test date 05/01/2021-15/01/2021 Completed
Retest date 25/02/2021-06/03/2021 Completed

The observed vulnerabilities were mitigated successfully during the retest of the
application.
No ID Vulnerability Risk Status
Level
1 H1 Use immutable string to store passwords High Closed
2 L1 Missing key location configuration Low Closed
3 H2 OTP generate function is not strong enough High Closed

Overall Status: Completed

Vulnerability Summary table (with risk level)

Chart Title

2
1.8
1.6
1.4 2
1.2
1
0.8
1
0.6
0.4
0.2 0

0
Low Medium High

No. OWASP Top 10 Application Security Vulnerability Findings

Risks
1 Injection Not Found
2 Broken Authentication Not Found
3 Sensitive Data Exposure Use immutable string to
store passwords.
OTP generate function is
not strong enough
4 XML External Entities (XXE) Not Found
5 Broken Access Control Not Found
6 Security Misconfiguration Missing key location
configuration
7 Cross-Site Scripting (XSS) Not Found
8 Insecure Deserialization Not Found
9 Using Components with Known Not Found
Vulnerabilities
10 Insufficient Logging & Monitoring Not Found
Detailed vulnerabilities finding
H1: Use immutable string to store passwords
Risk Rating High
Exploitation Likelihood High
Potential Impact High
Description Use immutable string to store passwords.
Impact Strings are immutable in .net so they are a security
concern. Please use below links to see the concern.
Remediation Use SecureString instead of string to handle
password
Status Fixed
Evidence Code Snippet
H2: OTP generate function is not strong enough
Risk Rating High
Exploitation Likelihood High
Potential Impact High
Description Random strings is simple and not enough strong.
Impact Non cryptographic pseudorandom number
generator (PRNG) are not designed to be secure.
The attacker observes a few outputs and eliminates
the seeds which don't match the expectation. Once
they're down to a single seed they can predict all
future outputs.
Remediation Use TOTP (Timed One Time Password) instead of
Random
Status Fixed
Evidence Code Snippet
L1: Missing key location configuration
Risk Rating Low
Exploitation Likelihood Low
Potential Impact Low
Description Key store location is not configurable.
Impact The user cannot change the key file without
developer
Remediation Pick key file from config.
Status Fixed
Evidence Code Snippet
METHODOLOGIES
Web Application testing progress by methodically validating and verifying the
effectiveness of application security controls. Testing methodology will be
based on the OWASP testing guide v4. The process involves an active analysis
of the application for any weaknesses, technical flaws, or vulnerabilities. Any
security issues that are found will be presented to the system owner, together
with an assessment of the impact, a proposal for mitigation or a technical
solution. Testing method is based on the black box approach where in tester
knows very little information about the application to be tested.
The test will be divided into 2 phases:
- Phase 1 Passive mode
In the passive mode the tester tries to understand the
application's logic and plays with the application. Tools
targeted for passive mode testing will be engaged to
understand more on business function, critical data,
underlying technology, execution paths, application
sinks and architecture mapping
- Phase 2 Active mode
Using the knowledge collected from the information
gathering step, the testers scan the vulnerabilities that
exist in the Web application. The testers will conduct
testing on configuration management, business logic,
authentication, session management, authorization,
data validation, denial of service, and Web services. In
this step, web server vulnerabilities, authentication
mechanism vulnerabilities, input-based vulnerabilities
and function-specific vulnerabilities are examined.
Testing will be carried out in attacker modus operandi,
techniques and tools attackers rely on, exploits they
use, and any needless exposure of data the target is
suffering from.
Glossary

1. Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
2. Broken Authentication. Application functions related to authentication and
session management are often implemented incorrectly, allowing attackers
to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities temporarily or
permanently.
3. Sensitive Data Exposure. Many web applications and APIs do not properly
protect sensitive data, such as financial, healthcare, and PII. Attackers may
steal or modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data may be compromised without
extra protection, such as encryption at rest or in transit, and requires special
precautions when exchanged with the browser.
4. XML External Entities (XXE). Many older or poorly configured XML
processors evaluate external entity references within XML documents.
External entities can be used to disclose internal files using the file URI
handler, internal file shares, internal port scanning, remote code execution,
and denial of service attacks.
5. Broken Access Control. Restrictions on what authenticated users are
allowed to do are often not properly enforced. Attackers can exploit these
flaws to access unauthorized functionality and/or data, such as access other
users’ accounts, view sensitive files, modify other users’ data, change access
rights, etc.
6. Security Misconfiguration. Security misconfiguration is the most
commonly seen issue. This is commonly a result of insecure default
configurations, incomplete or ad hoc configurations, open cloud storage,
misconfigured HTTP headers, and verbose error messages containing
sensitive information. Not only must all operating systems, frameworks,
libraries, and applications be securely configured, but they must be
patched/upgraded in a timely fashion.
7. Cross-Site Scripting (XSS). XSS flaws occur whenever an application
includes untrusted data in a new web page without proper validation or
escaping, or updates an existing web page with user-supplied data using a
browser API that can create HTML or JavaScript. XSS allows attackers to
execute scripts in the victim’s browser which can hijack user sessions,
deface web sites, or redirect the user to malicious sites.
8. Insecure Deserialization. Insecure deserialization often leads to remote
code execution. Even if deserialization flaws do not result in remote code
execution, they can be used to perform attacks, including replay attacks,
injection attacks, and privilege escalation attacks.
9. Using Components with Known Vulnerabilities. Components, such as
libraries, frameworks, and other software modules, run with the same
privileges as the application. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications and
APIs using components with known vulnerabilities may undermine
application defenses and enable various attacks and impacts.
10.Insufficient Logging & Monitoring. Insufficient logging and monitoring,
coupled with missing or ineffective integration with incident response,
allows attackers to further attack systems, maintain persistence, pivot to
more systems, and tamper, extract, or destroy data. Most breach studies
show time to detect a breach is over 200 days, typically detected by external
parties rather than internal processes or monitoring.
11.A Denial-of-Service (DoS) attack is an attack meant to shut down a
machine or network, making it inaccessible to its intended users. DoS
attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash.
12.Buffer overflow exploit Attackers exploit buffer overflow issues by
overwriting the memory of an application. This changes the execution path
of the program, triggering a response that damages files or exposes private
information.
13.Brute Force Attacks. A common threat web developers face is a password-
guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible
combination of letters, numbers, and symbols until you discover the one
correct combination that works. If your web site requires user
authentication, you are a good target for a brute-force attack.
14.Password Lockout. The most obvious way to block brute-force attacks is to
simply lock out accounts after a defined number of incorrect password
attempts. Account lockouts can last a specific duration, such as one hour, or
the accounts could remain locked until manually unlocked by an
administrator.