VAPT Report - Zero - Webappsecurity.com by Sudhakar Reddy-Updated
VAPT Report - Zero - Webappsecurity.com by Sudhakar Reddy-Updated
Vulnerabilities Report
Project URL: http://zero.webappsecurity.com
To Be Viewed By
Client: Micro Focus
Authorized
Date of Completion: 28-09-2022
Personnel Only
Confidentiality and liability
This document is property of Micro Focus Senior IT management only, and contains matter which is strictly
confidential and must not be given to any third party, or be printed or reprinted or photo-copied or shared in
electric from such as email, in whole or in part, without the prior consent of Micro Focus Senior IT
management. If you received this document in error please notify the owner or us Immediately. Consistent
System will not be liable for any misuse of information in this document in any form, or situation or event.
Management personnel, who are responsible for receiving this document, do own and control the document.
Disclaimer
Since the success of the testing is a joint venture between the customer and Consistent Systems we seek
complete support from customer’s IT management and a helpful tech contact person. Consistent Systems will
not be responsible for any data loss, business functionality loss, reputational and/or revenue loss etc. caused
during the testing or then forth. To that end, Consistent System mandates and urges customer to be very
diligent to back up all the systems, configurations, folders and files, and settings which come in the scope of
proposed testing.
By its nature, pen-tests scan only the vulnerabilities that potentially lead to an intrusion. It does not mean that
the intrusions which happened in the past will be detected; neither would it mean that it will detect and
prevent intrusions which might happen in future.
Penetration tests are meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which can further
result into unidentified loopholes in the networks. Consistent System will not be liable of such situations.
Disclaimer
With time, hacking methodologies, technologies and took change, as a result, vulnerability fixed today
does not mean it is fixed forever. It is very likely that the vulnerability fixed today with a patch or
reconfiguration, can still be exploited in future, which makes penetration testing a periodically conducted
continuous improvement process.
It is often misconstrued that a penetration test is really an actual hacking attack, however it reality the
penetration test, is a network scanning, as well as an attempt to penetrate for the possible vulnerabilities
that can potentially lead to an intrusion. An actual penetration may not happen, because most of the real
life hacking scenarios is rather time consuming process which can only be simulated up to some extent in
penetration test.
VAPT tests are not capable of and are not intended to detect an internet hardware, software, firmware or
application based problems. Same applies to IT performance and functionality problems too.
As a policy to protect customer’s data privacy, Consistent System does not provide log to the customer.
The logs are treated as internal working data for Consistent System tech team, hence are intellectual
property of Consistent System, and the report generated out of it is the only output or outcome meant for
customer to see. Consistent System deletes or destroys all the logs and findings of the performance test,
after three days from the submission of final report as matter of security practice, to protect client’s
confidentiality. Any disputes or concerns raised after three days will call for a retesting which counts
repetition of the testing reports and will be charged extra.
and trying it to the specific product, and is not a generic one.
Disclaimer
If the penetration test is being carried out for product security endorsement, it is important to understand
that the test certifies software build version and the same that of the applications running on the product.
This also means that any major or minor change in the software, or operating systems or application stacks
which forms the product undergoes any change or update or configuration change, the certificate
provided becomes null and void and in such case product would need to be recertified for the new
software build. This certificate provided by us for product, clarify mentions the software and application
build and the related technical details making and trying it to the specific product, and is not a generic one.
Vulnerability Finding And Attacks Performed
OWASP
Approx. No. of Attacks
Standards Attack Type
Performed
2021
A1 Broken Access Control 100+
2 OWASP A2: Cryptographic Failures : Passwords are stored in cookie as clear text Critical
5 OWASP A2: Cryptographic Failures : Missing Strict-Transport-Security policy in Response Header High
6 OWASP A3: Injection: Application is Vulnerable to XSS and click jacking attacks High
8 OWASP A7: Broken Authentication : Idle Session is not getting Expired within Stipulated Time High
9 OWASP A7: Broken Authentication : Adversary can reset email id using forgot password link High
10 OWASP A1: Broken Access Control : Access control check is missing Medium
SR.
Vulnerability Title Severity
No.
11 OWASP A1: Broken Access Control : Unidentified Ports are Open on Application Server Medium
12 OWASP A6: Vulnerable and Outdated Components : Vulnerable JQUERY Library Component Medium
OWASP A7: Broken Authentication : Application is Accepting Weak Password without any Special Character or
13 Medium
Numerical value/ Application is Accepting Old Password .
14 OWASP A7: Broken Authentication : Poor token generation and session id validation missing Medium
15 OWASP A7: Broken Authentication : Application is Vulnerable to Brute Force Attack Medium
18 OWASP A7: Broken Authentication : Session tokens are easily guessable and repetitive Low
Vulnerability-1.A2.Cryptographic Failures – Clear Text Submission of Username and
Password
Severity: Critical
Actual Result: Credentials can be seen in TCP packets as they are sent over un-encrypted channel.
Expected Result: Credentials cannot be figured out by analyzing the packets using any network analyzer tool.
Impact: Adversary can access in to victims account and perform unintended activity.
References: https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
POC:
Vulnerability-2.A2.Cryptographic Failures – Passwords are stored in cookie as clear text
Severity: Critical
Prerequisites: NA
Expected Result: Passwords should never be stored in browser cache and if they are stored, they must be in
hashed condition.
Impact: Compromises all the user data that should have been protected.
Remediation: Credentials are not stored in clear text, but are hashed. Disable caching of passwords.
References: https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
POC:
Vulnerability-3. A5: Security Misconfiguration : Invalid Certificate/Connection is not Secure
Severity: Critical
3) Examine the validity of the certificates used by the application at both server and client levels.
5) Check server signature algorithms whether they are live or dead or weak
Actual Result: Application is not using any Digital certificate & connection is not secure. SSL Certificate has
expired.
Expected Result: Application should use valid Digital certificate.
POC:
Vulnerability-4. A5: Security Misconfiguration : Insecure storage mechanism of passwords
Severity: Critical
Prerequisites: NA
Steps to Access the log files and observe how sensitive data is stored. Try adding “/admin” to the URL.
Reproduce:
Actual Result: Sensitive data like user details and passwords can be seen.
Impact: Confidentiality is at stake of other users and horizontal and vertical escalation of privileges attack
can be exploited easily.
Remediation: All the sensitive data for e.g. username, password, credit card details etc. should be stored in
hashed/encrypted format at database.
References: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
POC:
Vulnerability-5.A2. Cryptographic Failures : Missing Strict-Transport-Security policy in
Response Header
Severity: High
Steps to Intercept any request and check for HSTS present in the headers while active session.
Reproduce:
Impact: Encrypted Channel for data transmission cannot be implemented which makes the data prone to
various vulnerabilities.
Remediation: HSTS header should be used and set in all responses.
References: https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-
Test_HTTP_Strict_Transport_Security
POC:
Vulnerability-6. A3: Injection: Application is Vulnerable to XSS and click jacking attacks
Severity: High
Prerequisites: NA
Steps to 1. Visit “Pay-Bills” after login and insert a script in “Add Payee” input field and check whether it
Reproduce: creates a dialog box or not. Script can be <a href="http://bing.com">hacker</script></a>. OR
2. Enter the following script to check for clickjacking attack on mouseover.
<body onload=alert('test1')> <b onmouseover=alert('Wufff!')>click me!</b>
Actual Result: 1. Dialog box is created. OR
2. Message with “Wuff!” is displayed and when mouse is hovered on it, it displays a dialog box.
Expected Result: Page should land on login.html or display a message “ Input entered is invalid”.
Impact: Attacker can execute Cross-site scripting and click jacking attacks and perform horizontal and/or
vertical escalation of privileges leading to loss of confidential data.
Remediation: 1. Input validation and sanitization
2. Enable Content Security Policy Headers
3. Output Encoding and so on
References: https://owasp.org/www-community/attacks/xss/
POC:
Vulnerability-7. A5: Security Misconfiguration : Input validation is missing.
Severity: High
Prerequisites: NA
Steps to 1. Try inserting invalid and/or long alphanumeric characters in any input field and check whether it
Reproduce: is accepting it. OR
2. Try adding paths to the target URL and check the responses
Actual Result: 1. Any input data in whatever format and length is being accepted without any validation. OR
2. Pages are being responsive on hidden URLs found from dirb scan.
Expected Result: 1. Error messages should be displayed on invalid data input. OR
2. Hidden URLs should not display if they carry any confidential data.
Impact: Confidential data may be at stake on allowing invalid data. It may also pass codes, scripts and
commands which may interact with the software and/or hardware of the server and perform
unwanted operations.
Remediation: Appropriate Status codes should be returned in response header and no verbose errors should be
allowed. Whitelisting of the input data should be implemented.
References: https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs
POC:
Vulnerability-8. A7: Broken Authentication : Idle Session is not getting Expired within Stipulated
Time
Severity: High
Prerequisites: NA
Steps to Login to the application with the credentials and keep the session idle for one hour, then try to
Reproduce: click on any tab which require authentication to display it. OR
Also try to close the tab( not the browser) after login and reopen the target URL.
Actual Result: Session is still active after an hour. OR
Active page is displayed even after the tab is reopened.
Expected Result: Session should be expired and it should land on the login page in both the cases.
Impact: Unauthenticated access can occur when the session is not expired.
Expected Result: Session Should log out and land on login page.
Severity: Medium
Steps to 1. Try adding “/admin” , “/errors” and “/manager” to the target URL without logging in. OR
Reproduce: 2. Try changing email id on forgot password link by intercepting the request in Burp.
Actual Result: 1. Unauthorized data is shown to the user without verifying the access rights. OR
2. Email id changes to the attacker email.
Expected Result: 1. Pages should display error status code. OR
2. Session should expire and land on login page.
Impact: Unauthorized access can lead to misuse of confidential information and malicious activities.
Remediation: Perform an access control check to ensure the user is authorized for the request object
Use Access Control Lists (ACL) and map it to objects
Input Validation
Use Pointer to point the object rather than passing object as parameter
References: https://owasp.org/Top10/A01_2021-Broken_Access_Control/
POC:
2
Vulnerability-11. A1: Broken Access Control : Unidentified Ports are Open on Application
Server
Severity: Medium
Expected Result: Only required ports should be opened and all others should be closed.
Impact: Unidentified open ports can lead to increased risk of malicious activity on a network by
enumerating applications on server.
Remediation: Default credentials of Non-Prod Environment extra-unused: web pages, files, directories,
database components, ports should be closed while migrating application into PRODUCTION
Environment.
References: https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/01-Information_Gathering/04-
Enumerate_Applications_on_Webserver
POC:
Vulnerability-12. A6: Vulnerable and Outdated Components : Vulnerable JQUERY Library
Component
Severity: Medium
Steps to Check any component like OS, platform, library, webservice, database, etc are in use which have
Reproduce: known vulnerabilities.
Actual Result: JQuery 1.8.2, JQuery UI, Apache Tomcat and many others are vulnerable components.
Remediation: To apply a patch manually in the application, just after loading the jQuery and other components.
To upgrade the components version to latest one.
References: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
POC:
Vulnerability-13. A7: Broken Authentication : Application is Accepting Weak Password without
any Special Character or Numerical value/ Application is Accepting Old Password .
Severity: Medium
Prerequisites: NA
Steps to Determine the usernames and passwords available for the application and analyze the credentials
Reproduce: supplied from the client. OR try creating a new user with weaker credentials.
Actual Result: The password is very weak with no special characters, numbers, combination of lower and upper case
letters.
Expected Application returns generic error messages in response to invalid username and password.
Result:
Impact: Leads to broken authentication where unauthenticated user can have access and perform authenticated
actions.
Remediation: Enforce username and password policy.
References: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-
Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-
Authentication_Testing/07-Testing_for_Weak_Password_Policy
POC:
Vulnerability-14. A7: Broken Authentication : Poor token generation and session id validation
missing
Severity: Medium
Steps to Capture session Id and check its quality/randomness with Burp->Sequencer tab.
Reproduce: Try deleting the session id and sending the request.
Severity: Medium
Prerequisites: NA
Steps to Try to login with a given username and invalid passwords more than 10times.Check whether the
Reproduce: username is locked out or not.
Actual Result: Username does not lock out even after 10 failed login attempts.
Impact: Adversary can try guessing the passwords or can launch a brute force attack using an algorithm
which may give unauthenticated access to him.
Remediation: Account should be locked on 3 invalid login attempts. Reset password link should be sent to
registered Email account.
References: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
Vulnerability-16. A3: Injection: Application is Vulnerable to OS command injections
Severity: Low
Prerequisites: NA
Steps to Try to enter payloads of OS command injection at the end of the target URL and check the
Reproduce: responses. Payload examples: “;”, “;id”, ”;id;”, etc.
Actual Result: Application throws an exception which shows that the payload was tried to compile and could not
be found.
Expected Result: Should display a common message as “Bad Request”.
Severity: Low
Steps to Intercept any request in Burp Suite, send it to repeater and forward the request and check the
Reproduce: response headers.
Impact: Unauthorized Cross origin resource sharing is possible. Sensitive data exposure.
Severity: Low
Steps to Intercept login request in Burp suite and select the Session and user tokens to Sequencer tab.
Reproduce: Analyze the report after sending at least 200 requests.
Expected Result: Overall quality of randomness of tokens should be “Excellent”. Uncertainty should me more.
Impact: Unauthorized Cross origin resource sharing is possible. Sensitive data exposure.
Remediation: On successful login, Role Change, Password reset, logout new session tokens should be issued by
server. They must be complex and unique every time.
References: https://www.amirootyet.com/post/how-to-test-cookie-session-id/
https://medium.com/securing/why-is-randomness-important-especially-in-the-world-of-
cryptocurrencies-part-1-ebd3343c7b55
POC:
Thank You!!