Web Application Security

Assessment Report- Web-

Application

Confidential: v1.0
Technical Report

Submitted To
Web Application Security Assessment
Table of Contents .......................................................................................................................................
Executive Summary..................................................................................................................................... 3
Scope of the Exercise............................................................................................................................... 3
Type of Test ......................................................................................................................................... 3
Overview of Results..................................................................................................................................... 4
Distribution of Vulnerabilities – Census Report ........................................................................................ 4
Census of Web Application Vulnerabilities ......................................................................................... 4
Host Details .................................................................................................................................................. 4
Vulnerabilities and Proof of Concept ......................................................................................................... 5
Vulnerability Summary ............................................................................................................................... 7
OWASP TOP 10 Vulnerabilities Status ...................................................................................................... 7
Observations ................................................................................................................................................ 8
1. Session Fixation ................................................................................................................................... 8
2. User Credentials are sent in Clear text ................................................................................................. 9
3. Clickjacking ........................................................................................................................................ 10
4. Code Value Not Validated Properly ....................................................... Error! Bookmark not defined.
5. Information Disclosure........................................................................... Error! Bookmark not defined.
6. Application Error Message ................................................................. Error! Bookmark not defined.
7. Vulnerable jQuery Version................................................................................................................ 11
8. Username Enumeration ....................................................................... Error! Bookmark not defined.
9. Content Security Policy Header Missing .......................................................................................... 11
10. Missing X-XSS Protection ................................................................................................................ 12
11. Missing X-Content-Type-Options ................................................................................................... 13
Conclusion.................................................................................................................................................. 15

VAPT Report – Technical Confidential Page2 of 15

Web Application Security Assessment

Executive Summary
Scope of the Exercise
The purpose of this assessment was to discover, identify vulnerabilities and security issues
on the Web Application of with the help of the provided information. The scope limits
assessment of the web application with the identification, categorization and providing
mitigation strategies of vulnerabilities. The audit activities carried out based on OWASP
guidelines.

Type of Test

Grey Box Testing

The assessment was entirely carried out with a Manual Grey Box Testing. Manual testing
approach eradicates false positives that common automated tools throw up. The site was
also subjected to various other tests based on the OWASP Testing Guidelines including
Parameter manipulation, cookie manipulation, Request Modification and Testing for the
OWASP Top 10.

VAPT Report – Technical Confidential Page3 of 15

Web Application Security Assessment

Overview of Results
Distribution of Vulnerabilities – Census Report
The following graphical representation details the current threat level based on the severity
of the vulnerabilities, business impact and ease of mitigation.

Census of Web Application Vulnerabilities

Vulnerability Overview
High, 4
Low, 6

Medium, 1

High Medium Low

Host Details

Sl. No. URL

1. https://---------------------------

VAPT Report – Technical Confidential Page4 of 15

Web Application Security Assessment

Vulnerabilities and Proof of Concept

This section enlists the vulnerabilities that exist on the stated web application. The
vulnerabilities listed in the following pages are derived from the collective assessment of the
web application using tools and the tested expertise of our Security Auditors.
Listed below are general observations made upon completion of the assessment.
Vulnerability Title:
The Vulnerability Title is a short one line description of the vulnerability discovered. The
title is color coded according to the risk level as follows:
This risk level indicates a vulnerability whose successful exploitation
may result in a significant impact to the confidentiality, integrity or
availability of information accessible through the system, network
High
resource or web application. Backend resources like the database,
connected systems and the network in general are likely to be affected.
A successful exploit may lead to irrecoverable damage to data, resources
and reputation.
This risk level indicates a vulnerability that when successfully exploited
may cause disclosure of potentially sensitive information and exposure
Medium of underlying application or system architecture that when combined
with other vulnerabilities may cause severe impact on resources and
credibility.
This risk level indicates a vulnerability that when exploited may result
in disclosure of information that may help an attacker gain a substantial
Low amount of understanding of the applications underlying architecture.
This information could then be used to further an attack scenario on a
target.

Description:
The description provides a brief outline of the vulnerability, including its common identifier,
where applicable and available.
Affected Link & Parameter [Location of Vulnerability]:
The systems responsible or affected for or due to the vulnerability are listed here. If multiple
systems are involved or are affected by different instances of the same vulnerability then
they will be listed here along with the other targets. In case of web applications the affected
URL or the server configuration will be listed.

VAPT Report – Technical Confidential Page5 of 15

Web Application Security Assessment
Business Impact:
The impact of a successful exploitation of the vulnerability on business, data and client
relations is rated here with a brief explanation of the same. The rating is defined as follows:
Vulnerability with a High Business Impact rating would cause the entire
business to collapse if exploited successfully. These vulnerabilities may allow
High an attacker to access business critical data, client related sensitive records,
code execution on the host, denial of service to impact business flow and
unauthorized access to company resources. These vulnerabilities need
immediate attention.
This rating defines a vulnerability that when exploited successfully may allow
an attacker access to information that could be used with other vulnerabilities
Medium to cause damage to reputation, data and system and network resources. These
vulnerabilities deserve attention within the Mitigation Window.
Vulnerabilities identified as having a low Business Impact has been addressed
last. They define issues that can if persistently and used in conjunction with
other vulnerabilities may help elevate an attacker to attack impact.
Low
Information Disclosure that generally aids an attacker in understanding
network architecture but will not be affecting system resources in isolation
comes under this category.

Ease of Exploitation [Where Applicable]:

The ease of exploitation of the vulnerability can be defined for three categories:
Easy: A novice attacker could easily identify and exploit this vulnerability without the use of
specialized tools or exploit code.
Intermediate: An attacker has to rely on third party tools to exploit this vulnerability or
write simple snippets of code that will aid in successful exploitation of this issue.
Hard: An attacker needs specialized tools or advanced exploit code that may not be easily
available.
Recommendation and Mitigation Strategies:
This part of the Vulnerability Index contains information relating to the source of the update
or solution or the solution itself briefly described with reference to the original text.
Following these mitigation strategies may help in alleviating the discovered vulnerabilities.

VAPT Report – Technical Confidential Page6 of 15

Web Application Security Assessment

Vulnerability Summary
This section presents the analysis of vulnerabilities found on the Web Application as per
OWASP Top 10 - 2017 guidelines.

OWASP TOP 10 Vulnerabilities Status

Sl. No. Top 10 OWASP Vulnerability Vulnerability Findings

1. Injection Not Found

2. Broken Authentication Session Fixation

3. Sensitive Data Exposure 1. Information Disclosure

2 .User Credentials Sent in Clear Text

4. XML External Entities (XXE) Not Found

5. Broken Access Control Not Found

6. Security Misconfiguration 1. Clickjacking

2. Code Value Not Validated
3. Missing X-XSS- Protection
4. CSP Header Missing
5. Application Error Message
6. Missing X-Content Type Options
7. Username Enumeration
8. Application Error Message

7. Cross-Site Scripting (XSS) Not Found

8. Insecure Deserialization Not Found

9. Using Components with known Not Found

Vulnerabilities

10. Insufficient Logging & Monitoring Not Found

VAPT Report – Technical Confidential Page7 of 15

Web Application Security Assessment

Observations
This section presents a descriptive analysis of the vulnerabilities found on the Web
Application that were obtained while performing the tests.

1. Session Fixation
Description:
Session fixation is a web attack technique. The attacker tricks the user into using a specific
session ID. After the user logs in to the web application using the provided session ID, the
attacker uses this valid session ID to gain access to the user’s account.
Affected Link & Parameter [Location of Vulnerability]:
https://--------
Business Impact:
High: Attacker who compromises this vulnerability gets the full access for the vulnerable
session without any authentication. This vulnerability occurs due to Improper Session
Management
Ease of Exploitation:
Intermediate.
Recommendation and Mitigation Strategies:
Session IDs should be validated properly, so that if same IDs or token value repeated for
different session, server should destroy all the session and ask for re-authentication

How to Generate Issue:

➢ As we can see cookie value is not changing after login, attacker might take this flaw
as an advantage and proceed further
➢ Steal the cookie value from and active session through social engineering
➢ Paste the cookie value In another browser and the user is successfully logged in
without using login credentials
➢ The vulnerability has been exploited successfully and kindly find below pictures for
reference

Proof of Concept:

(a) Cookie Value From Browser 1

(b) Pasting The Same Cookie Value in Browser 2

VAPT Report – Technical Confidential Page8 of 15

Web Application Security Assessment
(C) Successfully Logged in Using the Same Cookie

2. User Credentials are sent in Clear text

Description:
User credentials are transmitted as plain text. If it is intercepted by an attacker, easily
attacker can gain the access and compromise the web application. Always user credentials
must be encrypted while transmitting over internet.
Affected Link & Parameter [Location of Vulnerability]:
https://--------
Business Impact:
High: An attacker can access the application console using these passwords and compromise
the application from an external system to reduce attack traceability.
Ease of Exploitation:
Easy
Recommendation and Mitigation Strategies:
Use a one way Hashing function like SHA-2 (224, 256) and SHA-3 (224, 256) to encrypt and
store the password in the database. While authenticating, the entered password can be run
through the same function and the result can be compared to the entry in the database to
authenticate. A salt (a random variable string) can also be appended or pre-pended to the
password to increase the security of the hash obtained.

How to Generate Issue:

➢ Attacker will use an open source tool called WIRESHARK
➢ Using this tool attacker will capture all the network packets in the same connected
network where an legitimate user is accessing the same application and trying to
login
➢ As we know the application is http site, It’ll be easy for attacker to capture and view
all the requests made from the application using the network packets capturing tool
Wireshark
➢ Attacker can view sensitive information passing in plain text
➢ In the given application, due to weak encryption the credentials are compromised
➢ The vulnerability has been exploited successfully and kindly find below pictures for
reference

Proof of Concept:

VAPT Report – Technical Confidential Page9 of 15

Web Application Security Assessment

3. Clickjacking
Description:
The application response headers contain missing X-Frame-Field options. Which may allow
attacker to inject some other page using Iframe code.
Affected Link & Parameter [Location of Vulnerability]:
http://
Business Impact:
High: if an attacker carefully crafted combination of stylesheets, iframes, and text boxes, a
user can be led to believe they are typing in the password to their email or bank account, but
are instead typing into an invisible frame controlled by the attacker.
Ease of Exploitation:
Intermediate
Recommendation and Mitigation Strategies:
Please enable X-Frame-Options and set it to “DENY”, “SAME ORIGIN” or “ALLOW-FROM uri”.
•X-Frame-Options: DENY « won’t allow the website to be framed by anyone.
•X-Frame-Options: SAMEORIGIN « No one can frame except for sites from same origin.
•X-Frame-Options: ALLOW-FROM uri « which permits the specified 'uri' to frame this page.
(e.g., ALLOW-FROM http://www.example.com).
•https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
How to Generate Issue:
➢ As the given application doesn’t contain X-Frame Options header
➢ Attacker can inject iframes and will miss use the application
➢ The below mentioned code is the testing code used by the attacker :
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>This Website is vulnerable to clickjacking!</p>
VAPT Report – Technical Confidential Page10 of 15
Web Application Security Assessment
<iframe src="http://24exch.com/login" width="600" height="700"></iframe>
</body>
</html>
➢ The vulnerability has been exploited successfully and kindly find below pictures for
reference
Proof of Concept:

(a) X-Frame Missing

(b) Clickjacking

7. Vulnerable jQuery Version

Description:
This jQuery UI 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the
title attribute
Affected Link & Parameter [Location of Vulnerability]:
http://
Business Impact:
Low: Modification of some system files or information is possible, but the attacker does not
have control over what can be modified, or the scope of what the attacker can affect is
limited.
Ease of Exploitation:
Intermediate
Recommendation and Mitigation Strategies:
Please update to the latest version of jQuery – UI which is not vulnerable.

How to Generate Issue:

➢ As the given is application is having an older vulnerable version of jQuery UI
➢ In jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote
attackers to inject arbitrary web script or HTML via the title option.

Proof of Concept:

9. Content Security Policy Header Missing

Description:
The HTTP Content-Security-Policy response header allows web site administrators to
control resources the user agent is allowed to load for a given page. With a few exceptions,

VAPT Report – Technical Confidential Page11 of 15

Web Application Security Assessment
policies mostly involve specifying server origins and script endpoints. This helps guard
against cross-site scripting attacks (XSS).
Affected Link & Parameter [Location of Vulnerability]:
https://--------
Business Impact:
Low: if your website is vulnerable to a Cross-site Scripting attack CSP can prevent successful
exploitation of that vulnerability. By not implementing CSP you’ll be missing out this extra
layer of security.
Ease of Exploitation:
Intermediate.
Recommendation and Mitigation Strategies:
Enable CSP on your website by sending the Content-Security-Policy in HTTP response
headers that instruct the browser to apply the policies you specified
Proof of Concept:

10. Missing X-XSS Protection

Description:
This header is used to configure the built in reflective XSS protection found in Internet
Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables
the protection, 1 which enables the protection and 1; mode=block which tells the browser
to block the response if it detects an attack rather than sanitizing the script.

Affected Link & Parameter [Location of Vulnerability]:

https://--------

VAPT Report – Technical Confidential Page12 of 15

Web Application Security Assessment
Business Impact:
Low: It Leads To XSS Attacks

Ease of Exploitation:
Intermediate.
Recommendation and Mitigation Strategies:
Mitigates Cross-Site Scripting (XSS) attacks
Set X-XSS-Protection "1; mode=block"

Proof of Concept:

11. Missing X-Content-Type-Options

Description:
This header only has one valid value, no sniff. It prevents Google Chrome and Internet
Explorer from trying to mime-sniff the content-type of a response away from the one being
declared by the server. It reduces exposure to drive-by downloads and the risks of user
uploaded content that, with clever naming, could be treated as a different content-type, like
an executable.
Affected Link & Parameter [Location of Vulnerability]:
https://--------
Business Impact:
Low: Possible of Man in the middle attacks.
Ease of Exploitation:
Intermediate.
Recommendation and Mitigation Strategies:

VAPT Report – Technical Confidential Page13 of 15

Web Application Security Assessment
Prevents possible phishing or XSS
attacks set X-Content-Type-Options "no
sniff"
Proof of Concept:

VAPT Report – Technical Confidential Page14 of 15

Web Application Security Assessment

Conclusion
I have conducted Web Application Security Assessment on the given Web Application of and
found the above-mentioned vulnerabilities.

VAPT Report – Technical Confidential Page15 of 15