0% found this document useful (0 votes)

75 views148 pages

Web Application (Muthoot - Com) - Pentesting - Revalidation - Report - 26-4-2023

The security assessment report for Muthoot Fincorp LTD's web application https://muthoot.com identified several high, medium, and low severity vulnerabilities. A total of 31 vulnerabilities were found, including 4 high severity issues related to cross-site scripting, outdated PHP version, and exposure of sensitive SQL credentials. Other medium risks involved vulnerable JavaScript libraries and insecure iframes. Multiple low risks involved directory listings, error messages, and insecure cookie settings. The report provided details of each vulnerability found with the affected URLs and parameters.

Uploaded by

90harish87

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

75 views148 pages

Web Application (Muthoot - Com) - Pentesting - Revalidation - Report - 26-4-2023

Uploaded by

90harish87

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 148

Muthoot Fincorp LTD - Web application Security Assessment Report

Report Date: 10-6-2022

Private and Confidential -

Our deliverables are intended solely for the use and benefit of "Muthoot Fincorp LTD" management who may share it with th
the statutory audit committee.

Unless required by law, Muthoot Fincorp LTD shall not provide this, or any other such document (including draft deliverables)
without first obtaining the consent of Mazars, in writing, together with, where required by Mazars, procuring “Release of Liab
Mazars from such third party; and providing a “Hold-Harmless” Letter to Mazars. In no event, regardless of whether consent h
Mazars assume any responsibility to any third party to which the advice or Deliverable or draft deliverable is disclosed or othe
We have not provided any opinion, attestation, or another form of assurance with respect to our work or the information upo
based. The procedures we performed did not constitute an examination or a review in accordance with generally accepted au
attestation standards. We have not audited or otherwise verified the information supplied to us in connection with this engag
source, except as was specified in this Agreement.

1. Scope -
Perform penetration testing
https://muthooth.com

2. Our Understanding -
To identify vulnerabilities/weakness in a shared Application by performing vulnerability assessment and penetration and prov
vulnerabilities.

3. Limitation -
- Scope exclusions
• Anything not covered explicitly in the scope of work
sessment Report

who may share it with the Board of Directors,

uding draft deliverables) to any third party,

ocuring “Release of Liability” Letter in favour of
ss of whether consent has been provided, shall
able is disclosed or otherwise made available.
k or the information upon which our work is
h generally accepted auditing standards or
nnection with this engagement, from whatever

nd penetration and provide remediation for

1 Scope
The details of the application for which the application security assessment was done:
Web Application https://muthoot.com/

Testing Environment Production

Version/Build No. NA

2 Risk Rating
Severity Rating

High risk vulnerability has a high potential of impacting business operations leading to
High privileged access, customer service or SLA breach resulting in significant outage. If explo
availability of organizational inform

Medium vulnerability has a potential of indirectly giving access to an intruder and/or do

Medium notifying the attacker of unauthorized use for taking the legal action in case the vuln
exploitation might result in elevation of privileges or slow

Low risk vulnerability has the potential of revealing the information about the device a
Low
compromise. Higher work factor would be involved for explo

3 Vulnerability Severity Count

Details: This table contains the total count of vulnerabilities that have been identified as a p
assessment.

Vulnerability severity count

High 4
Medium 5
Low 22
Total 31

Vulnerability Count Web Application

4
5

22
5

High Medium Low

tion security assessment was done:

Severity Rating

otential of impacting business operations leading to downtime or disruption and provides an attacker with
r SLA breach resulting in significant outage. If exploited, it has a direct impact on confidentiality, integrity or
availability of organizational information.

of indirectly giving access to an intruder and/or doesn’t have the features enabled for collecting evidence or
ized use for taking the legal action in case the vulnerability gets exploited. This type of vulnerability upon
itation might result in elevation of privileges or slowing down the operations.

tial of revealing the information about the device and may lead to unauthorized access to system leading to
ise. Higher work factor would be involved for exploiting this type of vulnerability.

erabilities that have been identified as a part of the web application security

bility Count Web Application

4
5

2
5

High Medium Low

Web Application Security Assesment

Sr. No. Vulnerability

Cross-Site Scripting

PHP Unsupported Version Detection (PHP 5.6.40)

3
Sensitive data exposure (SQL Credentials)

SQL Dump Files Disclosed via Web Server

phpMyAdmin 4.x < 4.9.4

Vulnerable JavaScript libraries

7
Directory listings

Application Error Messages

PhpMyAdmin Accessible

bash history file found

Error Logs

Insecure Inline Frame (iframe)

14
Insecure Inline Frame (iframe)

Insecure Inline Frame (iframe)

18
Insecure Inline Frame (iframe)

Insecure Inline Frame (iframe)

23
Insecure Inline Frame (iframe)

Insecure Inline Frame (iframe)

Cookies without Secure flag set

Cookies without HttpOnly flag set

HSTS not Implemented

PHP Version Disclosure

Clickjacking: X-Frame-Options header

30
Input Validation

31
Observation
It was observed that the following parameter is vulnerable to
cross-site Scripting

URL: https://muthoot.com/
Parameter: query

It was observed that the following parameter is vulnerable to

cross-site Scripting

URL: https://muthoot.com/search/
Parameter: query (post)

It was observed that the PHP version installed on the

webserver isno longer supported
It was observed that the foolowing pages disclose MySQL
database credentials.
URL:
- https://www.muthoot.com/old_site/
- https://www.muthoot.com/old_site/xml.php

It was observed that the web Application publically exposes

SQL Dump files
The following SQL files are available on the remote server:
- /search/sql/upgrade_to_1.2.sql
- /search/sql/tables.sql

It was observed that the phpMyAdmin application hosted on

the remote web server is 4.x prior to 4.9.4, or 5.x prior to 5.0.1.
It is, therefore, affected by a SQL injection (SQLi) vulnerability
in the user accounts page.

It was observed that the application is using vulnerable

JavaScript libraries. One or more vulnerabilities were reported
for this version of the library.

Library:
- jQuery JavaScript Library v1.3.1
- jQuery JavaScript Library v1.4.2
It was observed that directory listing enabled for the following
folders

URL:
https://muthoot.com/js/
https://muthoot.com/pdf/
https://muthoot.com/search/
https://muthoot.com/data/

it was observed that the web application displays application

error messages. Application error or warning messages may
expose sensitive information about an application's internal
workings to an attacker.These messages may also contain the
location of the file that produced an unhandled exception.

it was observed that phpMyAdmin is publicly accessible on the

server at followinf URL,

URL: https://muthoot.com/phpmyadmin/index.php

It was observed that the remote web server hosts publicly

available files whose contents may be indicative of a typical
bash history.

URL: https://muthoot.com/.bash_history

It wass observed that remote web server allows access to the

error_log file.

URL:https://muthoot.com/error_log

It was observed that web page was found to be using an Inline

Frame ("iframe") to embed a resource, such as a different web
page. The Inline Frame is configured insecurely. This
vulnerability alert is based on the origin of the embedded
resource and the iframe's sandbox attribute, which can be
used to apply security restrictions as well as exceptions to
these restrictions.

URL:https://muthoot.com/

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/BlueAnthem
It was observed that web page was found to be using an Inline
Frame ("iframe") to embed a resource, such as a different web
page. The Inline Frame is configured insecurely. This
vulnerability alert is based on the origin of the embedded
resource and the iframe's sandbox attribute, which can be
used to apply security restrictions as well as exceptions to
these restrictions.

URL: https://muthoot.com/media/FincorpGoldLoan

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/GoldPoint

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/contactus/registeredaddresses

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/HomeLoan
It was observed that web page was found to be using an Inline
Frame ("iframe") to embed a resource, such as a different web
page. The Inline Frame is configured insecurely. This
vulnerability alert is based on the origin of the embedded
resource and the iframe's sandbox attribute, which can be
used to apply security restrictions as well as exceptions to
these restrictions.

URL: https://muthoot.com/media/RestartIndia

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/TwoWheeler

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/Women

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/goldLoan

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/zaheerKhan
It was observed that web page was found to be using an Inline
Frame ("iframe") to embed a resource, such as a different web
page. The Inline Frame is configured insecurely. This
vulnerability alert is based on the origin of the embedded
resource and the iframe's sandbox attribute, which can be
used to apply security restrictions as well as exceptions to
these restrictions.

URL: https://muthoot.com/media/vidyabalan

It was observed that web page was found to be using an Inline

URL: https://muthoot.com/media/Vibhavana2019

It was observed that Secure flag was not set for the cookies for
the web application

It was observed that HttpOnly flag was not set for the cookies

It was observed that the web application doesn't implement

HTTP Strict Transport Security (HSTS) as the Strict Transport
Security header is missing from the response.

It was observed that the web server is sending the X-Powered-

By: response headers, revealing the PHP version.

It was observed that the server did not return an X-Frame-

Options header with the value DENY or SAMEORIGIN, which
means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to
indicate whether or not a browser should be allowed to render
a page inside a frame or iframe. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not
embedded into untrusted sites.
It was observed that no input validation was implemented on
the following:
URL:
- https://muthoot.com/careers/applynew/14
- https://muthoot.com/careers/apply/14
Parameter: All parameters
Impact
Malicious JavaScript has access to all the same objects as the rest of the web page, including
access to cookies and local storage, which are often used to store session tokens. If an attacker
can obtain a user's session cookie, they can then impersonate that user.Furthermore, JavaScript
can read and make arbitrary modifications to the contents of a page being displayed to a user.
Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities
for an attacker

Malicious JavaScript has access to all the same objects as the rest of the web page, including
access to cookies and local storage, which are often used to store session tokens. If an attacker
can obtain a user's session cookie, they can then impersonate that user.Furthermore, JavaScript
can read and make arbitrary modifications to the contents of a page being displayed to a user.
Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities
for an attacker

Lack of support implies that no new security patches for the product will be released by the
vendor. As a result, it is likely to contain security vulnerabilities.
The attacker may be able to use these credentials as these file(s) contains full/partial source
code that contains a mysql_connect/mysql_pconnect function call that includes the MySQL
connection credentials. This information is highly sensitive and should not be found on a
production system.

These files are most likely database dumps and may contain sensitive information.

An authenticated, remote attacker can exploit this, by injecting custom SQL in place of their
own username, to inject or manipulate SQL queries in the back-end database, resulting in the
disclosure or manipulation of arbitrary data.

The use of third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities,
including some that can be used to hijack user accounts like DOM-XSS.

Reference:
- https://nvd.nist.gov/vuln/detail/cve-2020-11022
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6071
A user can view a list of all files from the affected directories possibly exposing sensitive
information

Error messages may disclose sensitive information which can be used to escalate attacks

If an attacker is able to login s/he can access, modify or delete all MySQL databases.

Bash_history files may contain sensitive information that should not be disclosed to the public

An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose
potentially sensitive information.

When a web page uses an insecurely configured iframe to embed another web page, the latter
may manipulate the former, and trick its visitors into performing unwanted actions.

When a web page uses an insecurely configured iframe to embed another web page, the latter
may manipulate the former, and trick its visitors into performing unwanted actions.
When a web page uses an insecurely configured iframe to embed another web page, the latter
may manipulate the former, and trick its visitors into performing unwanted actions.

When a web page uses an insecurely configured iframe to embed another web page, the latter
may manipulate the former, and trick its visitors into performing unwanted actions.

Cookies could be sent over unencrypted channels. When a cookie is set with the Secure flag, it
instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is
important security protection for session cookies.

Cookies can be accessed by client-side scripts.

The application fails to prevent users from connecting to it over unencrypted connections. An
attacker able to modify a legitimate user's network traffic could bypass the application's use of
SSL/TLS encryption, and use the application as a platform for attacks against its users. This
attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to
the site from an HTTP page, their browser never attempts to use an encrypted connection. The
sslstrip tool automates this process.

An attacker might use the disclosed information to harvest specific security vulnerabilities for
the version identified.

Missing X-Frame-Header leaves the web application susseptible to Click=Jacking attacks The
impact depends on the affected web application.
Web application does not validate input properly, an attacker is able to craft the input in a form
that is not expected by the rest of the application. This will lead to parts of the system receiving
unintended input, which may result in altered control flow, arbitrary control of a resource, or
arbitrary code execution.
Vulnerability Rating Recommendation
Apply context-dependent encoding and/or validation to user input rendered on a
page

High

Apply context-dependent encoding and/or validation to user input rendered on a

page

High

Upgrade to the latest stable version.

High
Restrict access to these file(s) or remove them from the system.

High

Ensure proper restrictions are in place, or remove the file if the file is not required.

Medium

Upgrade to phpMyAdmin version 4.9.4, 5.0.1, or later. Alternatively, apply the

patches referenced in the vendor advisories.
Medium

Upgrade to the latest version.

Medium
Restrict directory listings from the web server configuration.

Medium

Verify that these page(s) are disclosing error or warning messages and properly
configure the application to log errors to a file instead of displaying the error to the
user.
Medium

Configure your web server to prevent public access to the phpMyAdmin directory
by implementing access control mechanisms.
Low

Ensure proper restrictions are in place, or remove the file if the file is not required.

Low

Ensure proper restrictions are in place, or remove the file if the file is not required.

Low