Security And Penetration Testing

Vulnerabilities Report
 Project URL: http://zero.webappsecurity.com

To Be Viewed By
Client: Micro Focus
Authorized
Date of Completion: 28-09-2022
Personnel Only
Confidentiality and liability
This document is property of Micro Focus Senior IT management only, and contains matter which is strictly
confidential and must not be given to any third party, or be printed or reprinted or photo-copied or shared in
electric from such as email, in whole or in part, without the prior consent of Micro Focus Senior IT
management. If you received this document in error please notify the owner or us Immediately. Consistent
System will not be liable for any misuse of information in this document in any form, or situation or event.
Management personnel, who are responsible for receiving this document, do own and control the document.
Disclaimer
Since the success of the testing is a joint venture between the customer and Consistent Systems we seek
complete support from customer’s IT management and a helpful tech contact person. Consistent Systems will
not be responsible for any data loss, business functionality loss, reputational and/or revenue loss etc. caused
during the testing or then forth. To that end, Consistent System mandates and urges customer to be very
diligent to back up all the systems, configurations, folders and files, and settings which come in the scope of
proposed testing.
By its nature, pen-tests scan only the vulnerabilities that potentially lead to an intrusion. It does not mean that
the intrusions which happened in the past will be detected; neither would it mean that it will detect and
prevent intrusions which might happen in future.
Penetration tests are meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which can further
result into unidentified loopholes in the networks. Consistent System will not be liable of such situations.
Disclaimer
With time, hacking methodologies, technologies and took change, as a result, vulnerability fixed today
does not mean it is fixed forever. It is very likely that the vulnerability fixed today with a patch or
reconfiguration, can still be exploited in future, which makes penetration testing a periodically conducted
continuous improvement process.
It is often misconstrued that a penetration test is really an actual hacking attack, however it reality the
penetration test, is a network scanning, as well as an attempt to penetrate for the possible vulnerabilities
that can potentially lead to an intrusion. An actual penetration may not happen, because most of the real
life hacking scenarios is rather time consuming process which can only be simulated up to some extent in
penetration test.
VAPT tests are not capable of and are not intended to detect an internet hardware, software, firmware or
application based problems. Same applies to IT performance and functionality problems too.
As a policy to protect customer’s data privacy, Consistent System does not provide log to the customer.
The logs are treated as internal working data for Consistent System tech team, hence are intellectual
property of Consistent System, and the report generated out of it is the only output or outcome meant for
customer to see. Consistent System deletes or destroys all the logs and findings of the performance test,
after three days from the submission of final report as matter of security practice, to protect client’s
confidentiality. Any disputes or concerns raised after three days will call for a retesting which counts
repetition of the testing reports and will be charged extra.
and trying it to the specific product, and is not a generic one.
Disclaimer
If the penetration test is being carried out for product security endorsement, it is important to understand
that the test certifies software build version and the same that of the applications running on the product.
This also means that any major or minor change in the software, or operating systems or application stacks
which forms the product undergoes any change or update or configuration change, the certificate
provided becomes null and void and in such case product would need to be recertified for the new
software build. This certificate provided by us for product, clarify mentions the software and application
build and the related technical details making and trying it to the specific product, and is not a generic one.
 Vulnerability Finding And Attacks Performed
OWASP
Approx. No. of Attacks
Standards Attack Type
Performed
2021
A1 Broken Access Control 100+

A2 Cryptographic Failure (Sensitive 150+

Data Exposure)

A3 Injection (SQL, XSS, XXE, etc) 340+

A4 Insecure Design 50+

A5 Security Misconfiguration 500+

A6 Vulnerable and Outdated 50+

Components
A7 Identification and Authentication 900+
Failures
A8 Software and Data Integrity 45+
Failures
A9 Security Logging & Monitoring 30+
Failures

A10 Server Side Request Forgery 25+

 Vulnerability List
SR.
Vulnerability Title Severity
No.
1 OWASP A2: Cryptographic Failures : Clear Text Submission of Username and Password Critical

2 OWASP A2: Cryptographic Failures : Passwords are stored in cookie as clear text Critical

3 OWASP A5: Security Misconfiguration : Invalid Certificate/Connection is not Secure Critical

4 OWASP A5: Security Misconfiguration : Insecure storage mechanism of passwords Critical

5 OWASP A2: Cryptographic Failures : Missing Strict-Transport-Security policy in Response Header High

6 OWASP A3: Injection: Application is Vulnerable to XSS and click jacking attacks High

7 OWASP A5: Security Misconfiguration : Input validation is missing. High

8 OWASP A7: Broken Authentication : Idle Session is not getting Expired within Stipulated Time High

9 OWASP A7: Broken Authentication : Adversary can reset email id using forgot password link High

10 OWASP A1: Broken Access Control : Access control check is missing Medium
SR.
Vulnerability Title Severity
No.
11 OWASP A1: Broken Access Control : Unidentified Ports are Open on Application Server Medium

12 OWASP A6: Vulnerable and Outdated Components : Vulnerable JQUERY Library Component Medium

OWASP A7: Broken Authentication : Application is Accepting Weak Password without any Special Character or
13 Medium
Numerical value/ Application is Accepting Old Password .

14 OWASP A7: Broken Authentication : Poor token generation and session id validation missing Medium

15 OWASP A7: Broken Authentication : Application is Vulnerable to Brute Force Attack Medium

16 OWASP A3: Injection: Application is Vulnerable to OS command injections Low

17 OWASP A3: Injection: Missing Access-Control-Allow-Origin(CORS) in Response header Low

18 OWASP A7: Broken Authentication : Session tokens are easily guessable and repetitive Low
Vulnerability-1.A2.Cryptographic Failures – Clear Text Submission of Username and
Password
Severity: Critical

Prerequisites: Wireshark Tool

Steps to Capture and observe POST packets in Wireshark tool.

Reproduce: Check if credentials are transmitted in plain text or encrypted format.

Actual Result: Credentials can be seen in TCP packets as they are sent over un-encrypted channel.

Expected Result: Credentials cannot be figured out by analyzing the packets using any network analyzer tool.

Impact: Adversary can access in to victims account and perform unintended activity.

Remediation: Credentials should be transmitted in an encrypted format.

References: https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
POC:
Vulnerability-2.A2.Cryptographic Failures – Passwords are stored in cookie as clear text

Severity: Critical

Prerequisites: NA

Steps to 1. Observe credentials before and after enabling remember me functionality.

Reproduce: 2. Observe Local cache and browser cookie cache.
3. Look for passwords being stored in a cookie. Examine the cookies stored by the application.
Verify that the credentials are not stored in clear text, but are hashed.
Actual Result: Passwords can be seen stored in browser cache and not in hashed condition.

Expected Result: Passwords should never be stored in browser cache and if they are stored, they must be in
hashed condition.
Impact: Compromises all the user data that should have been protected.

Remediation: Credentials are not stored in clear text, but are hashed. Disable caching of passwords.

References: https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
POC:
Vulnerability-3. A5: Security Misconfiguration : Invalid Certificate/Connection is not Secure

Severity: Critical

Prerequisites: Kali Linux with SSLScan

Steps to 1) SSL scan will not run for HTTP protocol

Reproduce:
2) Run SSL scan in kali linux.
Command: sslscan 54.82.22.214 OR
sslscan http://zero.webappsecurity.com

3) Examine the validity of the certificates used by the application at both server and client levels.

4) Check SSL/TLS version and their algorithms

5) Check server signature algorithms whether they are live or dead or weak
Actual Result: Application is not using any Digital certificate & connection is not secure. SSL Certificate has
expired.
Expected Result: Application should use valid Digital certificate.

Impact: Makes the system more vulnerable to hacking.

 Remediation: 1) SSL/TLS protocol version should be updated
2) All server signature algorithm should be Live
References: https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication

POC:
Vulnerability-4. A5: Security Misconfiguration : Insecure storage mechanism of passwords

Severity: Critical

Prerequisites: NA

Steps to Access the log files and observe how sensitive data is stored. Try adding “/admin” to the URL.
Reproduce:

Actual Result: Sensitive data like user details and passwords can be seen.

Expected Result: Unintended links should not be displayed.

Impact: Confidentiality is at stake of other users and horizontal and vertical escalation of privileges attack
can be exploited easily.
Remediation: All the sensitive data for e.g. username, password, credit card details etc. should be stored in
hashed/encrypted format at database.
References: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
POC:
Vulnerability-5.A2. Cryptographic Failures : Missing Strict-Transport-Security policy in
Response Header
Severity: High

Prerequisites: BURP Tool

Steps to Intercept any request and check for HSTS present in the headers while active session.
Reproduce:

Actual Result: HTTP Strict Transport Security header is missing.

Expected Result: HTTP Strict Transport Security header is set.

Impact: Encrypted Channel for data transmission cannot be implemented which makes the data prone to
various vulnerabilities.
Remediation: HSTS header should be used and set in all responses.

References: https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-
Test_HTTP_Strict_Transport_Security
POC:
Vulnerability-6. A3: Injection: Application is Vulnerable to XSS and click jacking attacks

Severity: High

Prerequisites: NA

Steps to 1. Visit “Pay-Bills” after login and insert a script in “Add Payee” input field and check whether it
Reproduce: creates a dialog box or not. Script can be <a href="http://bing.com">hacker</script></a>. OR
2. Enter the following script to check for clickjacking attack on mouseover.
<body onload=alert('test1')> <b onmouseover=alert('Wufff!')>click me!</b>
Actual Result: 1. Dialog box is created. OR
2. Message with “Wuff!” is displayed and when mouse is hovered on it, it displays a dialog box.
Expected Result: Page should land on login.html or display a message “ Input entered is invalid”.

Impact: Attacker can execute Cross-site scripting and click jacking attacks and perform horizontal and/or
vertical escalation of privileges leading to loss of confidential data.
Remediation: 1. Input validation and sanitization
2. Enable Content Security Policy Headers
3. Output Encoding and so on
References: https://owasp.org/www-community/attacks/xss/
POC:
Vulnerability-7. A5: Security Misconfiguration : Input validation is missing.

Severity: High

Prerequisites: NA

Steps to 1. Try inserting invalid and/or long alphanumeric characters in any input field and check whether it
Reproduce: is accepting it. OR
2. Try adding paths to the target URL and check the responses
Actual Result: 1. Any input data in whatever format and length is being accepted without any validation. OR
2. Pages are being responsive on hidden URLs found from dirb scan.
Expected Result: 1. Error messages should be displayed on invalid data input. OR
2. Hidden URLs should not display if they carry any confidential data.
Impact: Confidential data may be at stake on allowing invalid data. It may also pass codes, scripts and
commands which may interact with the software and/or hardware of the server and perform
unwanted operations.
Remediation: Appropriate Status codes should be returned in response header and no verbose errors should be
allowed. Whitelisting of the input data should be implemented.
References: https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs
POC:
Vulnerability-8. A7: Broken Authentication : Idle Session is not getting Expired within Stipulated
Time
Severity: High

Prerequisites: NA

Steps to Login to the application with the credentials and keep the session idle for one hour, then try to
Reproduce: click on any tab which require authentication to display it. OR
Also try to close the tab( not the browser) after login and reopen the target URL.
Actual Result: Session is still active after an hour. OR
Active page is displayed even after the tab is reopened.
Expected Result: Session should be expired and it should land on the login page in both the cases.

Impact: Unauthenticated access can occur when the session is not expired.

Remediation: Session expires on browser closure and tab closure.

As the target application is critical, session timer of 5-15minutes is suggested after which the
session should expire.
References: https://owasp.org/www-project-mobile-top-10/2014-risks/m9-improper-session-handling
https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/06-Session_Management_Testing/01-
Testing_for_Session_Management_Schema
Vulnerability-9. A7: Broken Authentication : Adversary can reset email id using forgot password
link
Severity: High

Prerequisites: Burp Tool

Burp POC Genrator
Steps to TO Genrate CSRF attack
Reproduce: 1. Burp tool : Engagement Tools -> Generate CSRF POC on state change activity (Forgot
Password)
OR
2. Manually create HTML file and open link in same browser another tab.
Actual Result: Adversary Email id gets updated in the database.

Expected Result: Session Should log out and land on login page.

Impact: Attacker can get the admin access .

Attacker can force victims to perform any action which victim is not unintended to do.
Remediation: Per session/per request CSRF tokens should be implemented.
Set-Cookie: “Samesite” Flag should be set to strict.
Also use extra level of authentication and do not use GET method for state changing operations.
Mitigations of XSS attacks.
References: https://owasp.org/www-community/attacks/csrf
POC:
Vulnerability-10. A1: Broken Access Control : Access control check is missing

Severity: Medium

Prerequisites: Burp Suite Pro

Steps to 1. Try adding “/admin” , “/errors” and “/manager” to the target URL without logging in. OR
Reproduce: 2. Try changing email id on forgot password link by intercepting the request in Burp.

Actual Result: 1. Unauthorized data is shown to the user without verifying the access rights. OR
2. Email id changes to the attacker email.
Expected Result: 1. Pages should display error status code. OR
2. Session should expire and land on login page.
Impact: Unauthorized access can lead to misuse of confidential information and malicious activities.

Remediation: Perform an access control check to ensure the user is authorized for the request object
Use Access Control Lists (ACL) and map it to objects
Input Validation
Use Pointer to point the object rather than passing object as parameter
References: https://owasp.org/Top10/A01_2021-Broken_Access_Control/
 POC:

2
Vulnerability-11. A1: Broken Access Control : Unidentified Ports are Open on Application
Server
Severity: Medium

Prerequisites: KaliLinux with Nmap OR

Zenmap (Windows)
Steps to Run Nmap tool on Kali Linux with the following command: Nmap -sC --script vuln 54.82.22.214
Reproduce: OR

Run a regular scan in Zenmap with following IP address: 54.82.22.214

Actual Result: Open ports are shown which are unidentified.

Expected Result: Only required ports should be opened and all others should be closed.

Impact: Unidentified open ports can lead to increased risk of malicious activity on a network by
enumerating applications on server.
Remediation: Default credentials of Non-Prod Environment extra-unused: web pages, files, directories,
database components, ports should be closed while migrating application into PRODUCTION
Environment.
References: https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/01-Information_Gathering/04-
Enumerate_Applications_on_Webserver
POC:
Vulnerability-12. A6: Vulnerable and Outdated Components : Vulnerable JQUERY Library
Component
Severity: Medium

Prerequisites: BURP and Wappalyzer Extension in any browser.

Steps to Check any component like OS, platform, library, webservice, database, etc are in use which have
Reproduce: known vulnerabilities.

Actual Result: JQuery 1.8.2, JQuery UI, Apache Tomcat and many others are vulnerable components.

Expected Result: No components with known vulnerabilities.

Impact: Makes the system more vulnerable to hacking.

Remediation: To apply a patch manually in the application, just after loading the jQuery and other components.
To upgrade the components version to latest one.

References: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
POC:
Vulnerability-13. A7: Broken Authentication : Application is Accepting Weak Password without
any Special Character or Numerical value/ Application is Accepting Old Password .

Severity: Medium

Prerequisites: NA

Steps to Determine the usernames and passwords available for the application and analyze the credentials
Reproduce: supplied from the client. OR try creating a new user with weaker credentials.

Actual Result: The password is very weak with no special characters, numbers, combination of lower and upper case
letters.
Expected Application returns generic error messages in response to invalid username and password.
Result:
Impact: Leads to broken authentication where unauthenticated user can have access and perform authenticated
actions.
Remediation: Enforce username and password policy.

References: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-
Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-
Authentication_Testing/07-Testing_for_Weak_Password_Policy
POC:
Vulnerability-14. A7: Broken Authentication : Poor token generation and session id validation
missing
Severity: Medium

Prerequisites: Burp Suite Pro

Steps to Capture session Id and check its quality/randomness with Burp->Sequencer tab.
Reproduce: Try deleting the session id and sending the request.

Actual Result: Session id complexity is poor and repetitive.

Request getting executed despite missing session id.
Expected Result: Session id complexity must be excellent and unique.
Session validation must be done and land on login page.
Impact: Bypassing of authentication page leads to unauthenticated access of data and code.

Remediation: 1) Access to all the files/folders/URL should be protected.

2) Sensitive object references should not be passed through URL .
3) Randomness of the session ID should be excellent.
4) Prepared statements, Input validations, stored procedures should be implemented.
References: https://owasp.org/www-project-mobile-top-10/2014-risks/m9-improper-session-handling
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
POC:
Vulnerability-15. A7: Broken Authentication : Application is Vulnerable to Brute Force Attack

Severity: Medium

Prerequisites: NA

Steps to Try to login with a given username and invalid passwords more than 10times.Check whether the
Reproduce: username is locked out or not.

Actual Result: Username does not lock out even after 10 failed login attempts.

Expected Result: Username should be locked after 3 unsuccessful login attempts.

Impact: Adversary can try guessing the passwords or can launch a brute force attack using an algorithm
which may give unauthenticated access to him.
Remediation: Account should be locked on 3 invalid login attempts. Reset password link should be sent to
registered Email account.
References: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
Vulnerability-16. A3: Injection: Application is Vulnerable to OS command injections

Severity: Low

Prerequisites: NA

Steps to Try to enter payloads of OS command injection at the end of the target URL and check the
Reproduce: responses. Payload examples: “;”, “;id”, ”;id;”, etc.

Actual Result: Application throws an exception which shows that the payload was tried to compile and could not
be found.
Expected Result: Should display a common message as “Bad Request”.

Impact: Application Compromise

Data Compromise
.
Remediation: Strong Input Validation, Do not call OS commands from Application Layer, use APIs
instead. The lowest possible privileges should be given to Application.
References: https://owasp.org/www-community/attacks/Command_Injection
POC:
Vulnerability-17. A3: Injection: Missing Access-Control-Allow-Origin(CORS) in Response header

Severity: Low

Prerequisites: Burp Suite Pro

Steps to Intercept any request in Burp Suite, send it to repeater and forward the request and check the
Reproduce: response headers.

Actual Result: Access-Control-Allow-Origin header is set to “*”.

Expected Result: Access-Control-Allow-Origin header should be set to “Origin”.

Impact: Unauthorized Cross origin resource sharing is possible. Sensitive data exposure.

Remediation: Access-Control-Allow-Origin header should be set to “Origin” or “Method” or “Credentials”

depending on the business requirements.
References: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
POC:
Vulnerability-18. A7: Broken Authentication : Session tokens are easily guessable and repetitive

Severity: Low

Prerequisites: Burp Suite Professional

Steps to Intercept login request in Burp suite and select the Session and user tokens to Sequencer tab.
Reproduce: Analyze the report after sending at least 200 requests.

Actual Result: Overall quality of randomness of tokens is poor. Uncertainty is less.

Expected Result: Overall quality of randomness of tokens should be “Excellent”. Uncertainty should me more.

Impact: Unauthorized Cross origin resource sharing is possible. Sensitive data exposure.

Remediation: On successful login, Role Change, Password reset, logout new session tokens should be issued by
server. They must be complex and unique every time.
References: https://www.amirootyet.com/post/how-to-test-cookie-session-id/

https://medium.com/securing/why-is-randomness-important-especially-in-the-world-of-
cryptocurrencies-part-1-ebd3343c7b55
POC:
Thank You!!