Vulnerability Assessment and Penetration Testing
Vulnerability Assessment and Penetration Testing
TESTING
TABLE OF CONTENTS
Chapter-5 CONCLUSION 48
REFERENCES 49
ii
LIST OF ABBREVIATIONS
iii
ABSTRACT
Vulnerability Assessment and Penetration Testing (VAPT) is a crucial process to identify and
address potential risks in computer systems and networks for any organization and to help
maintain its security posture. Evaluating the degree of risk and potential effects of security
vulnerabilities in a system or network is part of this systematic and thorough approach.
Finding vulnerabilities before they can be used maliciously to undermine the confidentiality,
integrity, and availability of data and systems is the most crucial and vital goal of VAPT.
The vulnerability assessment and penetration testing phases make up the VAPT process.
Security experts employ a range of instruments and methods during the first stage, known as
vulnerability assessment, to find weaknesses in the system or network. This entails running
scans, going over logs, and examining the settings of the system. Once vulnerabilities are
identified, they are prioritized based on the level of risk they pose to the organization.
The second stage after Vulnerability assessment is penetration testing, security professionals
attempt to exploit the vulnerabilities identified in the previous stage to determine the level of
risk and potential impact. The objective of this step is to simulate a real-world attack scenario
and identify any loopholes or weaknesses in the system's defense mechanisms that may help
the attacker enter the organization. Penetration testing provides valuable insights into the
effectiveness of the organization's security controls and helps to identify areas where
improvements can be made.
VAPT has a lot of benefits when it comes to using it on a larger scale. In the first place, it
helps organizations identify vulnerabilities in their network or applications before they can be
exploited by malicious actors, resulting in a reduction of the risk of data breaches, theft, and
other security incidents. Secondly, it helps businesses ensure compliance with working
industry standards and the regulations, such as the Payment Card Industry Data Security
Standard (PCI DSS) and the General Data Protection Regulation (GDPR). Apart from the
above mentioned, VAPT also helps organizations improve their overall security posture and
gain a better understanding of their security risks and vulnerabilities.
iv
Chapter 01: INTRODUCTION
1.1 INTRODUCTION
Vulnerability Assessment and Penetration Testing (VAPT) are critical processes for security
engineers to identify and prioritize security issues in a system or network. After conducting
VAPT, security engineers can list the identified security issues based on the Common
Vulnerability Scoring System (CVSS) score [1] for further risk analysis and deployment of
fixes. The security engineer's primary role in VAPT is to handle security issues discovered
within the organization and externally by security researchers with caution.
In recent years, security has become increasingly important for companies, and most undergo
security testing of their domains and applications. The responsibility for carrying out VAPT
falls on security engineers. In this process, they must pay special attention to the Open Web
Application Security Project's (OWASP) top 10 security vulnerabilities, which are commonly
targeted by attackers.
By using VAPT, security engineers can identify vulnerabilities and address them before they
can be exploited by malicious actors. This helps to ensure the confidentiality, integrity, and
availability of sensitive data and systems. Additionally, VAPT can help organizations meet
regulatory compliance requirements and maintain their reputation by avoiding security
breaches and data theft.
9
1.2 PROBLEM STATEMENT
The project revolves around identifying potential security weaknesses and vulnerabilities
within a system, application, or network that could be exploited by attackers. The goal of the
project is to assess the security posture of the target system and determine the level of that it
poses to the organization.
A VAPT project is typically initiated when an organization wants to ensure that its systems
are secure and free from vulnerabilities.
1.3 OBJECTIVES
The primary objective of a VAPT (Vulnerability Assessment and Penetration Testing) project is to
identify and address potential vulnerabilities in a system, application, or network, and assess its
security posture. The project aims to proactively identify security weaknesses and mitigate them
before they can be exploited by attackers.
Then the company fixes these issues and asks for the revalidation of the issues whether the issue is
fixed or not. Some important objectives also behind the VAPT project are:
Identifying security weaknesses: The project aims to identify any vulnerabilities that could
be exploited by attackers, including known vulnerabilities, configuration errors, and coding
mistakes.
Assessing security posture: The project assesses the overall security posture of the system,
application, or network, which includes evaluating its ability to withstand attacks and
mitigate potential threats.
Mitigating risks: Once vulnerabilities are identified, the project helps to prioritize them based
on their severity and provides recommendations for mitigation to reduce risks.
Meeting compliance requirements: Many organizations are required to comply with industry
regulations or government mandates that require periodic security assessments. A VAPT
project can help organizations meet these compliance requirements.
10
1.4 METHODOLOGY
11
1.5 ORGANIZATION
This project report is divided into five chapters which are as follows: -
Chapter 1: - This chapter gives a brief introduction of the project. Gives a brief
overview of how VAPT works. The chapter also talks about the problem statement of
the whole project and the objectives of the project. The chapter also provides a brief
introduction to the methodology used for the project and also provides information
about the steps involved in a VAPT process.
Chapter 2: - This chapter gives knowledge about the previous work related to VAPT
and security. The literature survey chapter includes a broad and complete analysis of
existing research that has been done, studies, and publications that are related to
vulnerability assessment and penetration testing. The literature survey chapter helps
provide a complete understanding of the current state of VAPT, how important it is in
the context of cybersecurity, and the different methods, and tools used in the process.
Chapter 3: - This chapter consists of information about the steps and the
methodologies that are I have followed to work on the whole project. This chapter also
talks about system development and a complete description of the project. Chapter 3
will also provide a detailed analysis of the different tools and technologies of the
Assessment. The system development also includes vulnerabilities that were found,
their severity level, and recommendations for remediation.
12
Chapter 5: - The last chapter is all about the conclusion and future work presented in
this project report. It provides information about how each step works and generates
appropriate results. This chapter also summarize the found vulnerabilities, the end
discussion of how the vulnerabilities effect a system.
It also includes the future scope, which discusses about the current situation of VAPT in
industry, and its need in the coming future.
13
Chapter 02: LITERATURE SURVEY
For any security engineer, Vulnerability Assessment and Penetration testing is a way to find
all the security issues in a particular application or system and list them according to the
CVSS score for the risk analysis. In this section, I have provided some literature works from
cybersecurity researchers and professionals, whom I took help with while working on the
project.
As we know the complexity of systems keeps on increasing rapidly with time, this also
raises the possibility of an increase in the potential for vulnerabilities as well, which
can be easily exploited by attackers to hack the system. This can be avoided by
identifying and addressing these vulnerabilities before attackers can exploit them. In
this case, Vulnerability Assessment and Penetration Testing (VAPT) counts as a
powerful cyber defense technology that offers a proactive cyber defense. The research
examines how VAPT can be used for proactive cyber defense and details the entire
lifecycle of doing VAPT on networks or systems, including taking the initiative to
address vulnerabilities that have been found and avert possible data breaches. The
paper also examines some prevalent VAPT techniques and gives an overview of some
popular and useful open- source VAPT tools.
This paper also discusses the importance of VAPT as a Cyber Defence Technology.
By properly removing system vulnerabilities, VAPT can be used as a cyber defense
technology, lowering the chance of cyberattacks. The paper explains several
Vulnerability & Penetration testing approaches, and provide a comprehensive VAPT
life cycle for active defense.
The detailed tutorial in this paper helps in reducing risks and cyber-attacks. The paper
explains various methods of conducting Vulnerability Assessment and Penetration
Testing and provides a comprehensive life cycle of VAPT for proactive defens
14
Chapter 03: IMPLEMENTATION
3.1 OVERVIEW
The OWASP top 10 is basically a list of the top 10 most critical vulnerabilities found in web
applications, identified by the Open Web Application Security Project(OWASP), which is a
nonprofit organization that helps in the
improvisation of the security of software.
This list by OWASP is updated every few years to reflect the changing nature of web
application security. The list is also a way to provide a framework for developers, security
professionals, and organizations to understand the most common and most dangerous web
application security risks that they need to protect against and make their organization more
secure.
Understanding and addressing the vulnerabilities listed in the OWASP Top 10, it helps
developers and organizations to build more secure web applications and reduce the risk of
data breaches, unauthorized access, and other security incidents. The top 10 list acts as a
standard for implementing web application security best practices and guarantees that security
is always given priority throughout the development and deployment process. It is a valuable
resource for everyone who works on building or security of online applications and is most
frequently used by security experts and organisations as a tool for evaluating the security of
web applications.
3.1.2 Description of Top 10 Vulnerabilities
15
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
16
8. Insecure Deserialization
9. Using components with Known vulnerabilities
10. Insufficient Logging and Monitoring
Hash: Injection vulnerability is a type of web application security flaw that allows the
attackers to insert and execute malicious code into an application, or gain access to sensitive
data. Injection attacks occur when an attacker can input data into an application, such as
through a form or search bar, or any text field, which asks the user to enter some text, and that
input is not properly validated or sanitized by the application.
One of the most common examples of an injection attack is SQL injection, which involves the
insertion of malicious SQL commands into an application's input fields so that when the user
accesses the application, the injection exploits help the attacker to manipulate or retrieve
sensitive data stored in a database. It will be a successful attack if the attacker is able to gain
access to the username, passwords, and other sensitive data. Apart from SQL injection we also
have LDAP injection, XPath injection, and OS command injection. These include inserting
malicious scripts into other parts of the application where it has input fields and text boxes so
as to gain unauthorized access or execute arbitrary code on the target system. To prevent data
loss and maintain a proper security posture, the development team should keep track of the
user's input properly in the input field. Their input should be sanitized and validated well
before it is processed by the application. This step will involve filtering of input and the
encoding, parameterized queries for database access.
Additionally, organizations should implement secure coding practices and regularly test their
web applications for vulnerabilities to ensure that they are not susceptible to injection attacks.
You can see one of OWASP’s examples below:
This query can be exploited by calling up the web page executing it with the following URL:
http://example.com/app/accountView?id=’ or ’1’=’1, causing the return of all the rows stored
on the database table. The core of a code injection vulnerability is the lack of validation and
sanitization of the data consumed by the web application, which means that this vulnerability
can be present on almost any type of technology.
17
Broken Authentication: Broken Authentication is a security vulnerability that takes place
when an application’s authentication mechanism is poorly design or implemented, that allows
the attackers to bypass authentication controls and gain unauthorized access to the sensitive
information within an application.
Authentication is the process of verifying the identity of the user or the system, mostly using
the credentials of the user such as username and password. Broken Authentication
vulnerabilities emerge when the application fails to adequately protect user authentication
credentials or lacks the appropriate session management controls, such as the use of session
timeouts or secure cookie settings.
To avoid broken authentication, don’t leave the login page for admins publicly accessible to all
visitors of the website:
/administrator on Joomla!,
/wp-admin/ on WordPress,
18
/index.php/admin on Magento,
/user/login on Drupal.
Sensitive Data Exposure: Sensitive data exposure is a security flaw that happens when a
system or application is not sufficiently secure to prevent the access or disclosure of sensitive
data, such as personal or financial information. This flaw might provide hackers access to
private information that they could then readily use for malicious purposes.
Sensitive Data Exposure can take place in a number of ways, that includes:
Insecure Data: When Attackers can take advantage of sensitive data that is stored
insecurely or that is improperly encrypted.
Insufficient data masking: When an Attacker can access the data when it is displayed or
transmitted in plain text or when it is improperly masked.
Lack of access controls: When there aren't enough access controls in place, hackers can
access private data by taking advantage of system flaws or weak spots.
SQL injection attacks: when an attacker can access private information kept in a
database by inserting SQL code into an application.
Misconfigured systems: When Systems or programs that are improperly configured run
the risk of exposing private information to unauthorised users.
Developers and businesses should use safe methods of coding including encryption of data,
access controls, and appropriate data masking to prevent vulnerabilities that reveal sensitive
data. Additionally, it's important to regularly inspect applications and systems for flaws,
including checking for SQL injection attacks and other typical attack routes. To make sure that
systems and applications are in accordance with the relevant security standards and regulations,
organizations should routinely examine and audit them.
19
input. This vulnerability usually takes place when an attacker is able to inject malicious XML
code into an application's processing.
XML input can be modified to incorporate external entities, which are files or network
resources that are mentioned within the XML document, in XXE attacks. An attacker may be
able to access personal data, run remote code, and carry out other nefarious deeds by taking
advantage of this vulnerability.
To steal sensitive data, such as user credentials, credit card details, or other private information,
an attacker may, for instance, execute an XXE attack. On the targeted system, they might also
employ XXE to launch denial-of-service attacks or run arbitrary code.
Developers should employ safe coding practices and input validation procedures to make sure
that all user-supplied data is appropriately sanitized before processing in order to prevent XXE
attacks.
Additionally, using a secure XML parser library that is designed to mitigate XXE attacks can
provide an additional layer of protection against this type of vulnerability.
What Are the Attack Vectors?
According to OWASP, the XML external entities (XXE) main attack vectors are:
• Exploitation of vulnerable XML processors if malicious actors can upload XML or include
hostile content in an XML document;
• Exploitation of vulnerable code;
• Exploitation of vulnerable dependencies;
• Exploitation of vulnerable integrations
Example of an XML External Entity Attack
According to OWASP, the easiest way to exploit an XXE is to upload a malicious XML file.
Scenario #1: The attacker attempts to extract data from the server
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo
20
[<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<foo>&xxe;</foo>
Scenario #2: An attacker probes the server’s private network by changing the above
ENTITY line to:
<!ENTITY xxe SYSTEM “https://192.168.1.1/private” >]>
Broken Access Control: Broken Access Control is a type of security vulnerability that occurs
when an application does not properly carry out the restrictions on what actions a user is
authorized to perform. In other words, it's when an attacker gains access to manipulate sensitive
data or to perform unauthorized actions due to weak access controls within an application.
Access controls are created to make sure that users can only access the data and functionality
that they are authorized to access. When access controls are broken, it's possible for an attacker
to easily gain access to sensitive information, modify or delete it, or perform other unauthorized
actions.
For example, let's say a web application allows users to view their own profile information by
accessing a URL like "www.example.com/profiles/user123". However, if an attacker changes
the URL to "www.example.com/profiles/user456", they may be able to access the profile
information of another user. This is a classic example of a Broken Access Control vulnerability.
To prevent Broken Access Control vulnerabilities, developers should implement proper access
controls within their applications, including authentication and authorization mechanisms. This
means ensuring that users are properly authenticated before allowing them to access sensitive
data or functionality, and that they are authorized to perform the specific actions they are
attempting to perform. It's also important to test applications for access control vulnerabilities
during development and regularly throughout the application's lifecycle.
21
Examples of Access
• Access to a hosting control / administrative panel.
• Access to a server via FTP / SFTP / SSH
• Access to a website’s administrative panel
• Access to other applications on your server
• Access to a database
Security Misconfiguration
When a system or application is not configured properly, Security Misconfiguration can take
place, which can leave it open for the attackers to exploit. It is one of the most common security
issues found in systems and applications and can result in very serious consequences, such as
unauthorized access, data breaches, and system compromise.
A security misconfiguration can occur due to many reasons, such as using default passwords,
unpatched software or operating systems, open ports, unnecessary services running, or lack of
proper access controls. These misconfigurations can be exploited by attackers to gain
unauthorized access to sensitive data, inject malware, or take control of the system.
22
include:
• Network services
• Platform,
• Web server,
• Application server,
• Database,
• Frameworks,
• Custom code,
• Pre-installed virtual machines,
• Containers,
• Storage.
Another type of XSS attack is the "stored" XSS attack, in which the malicious code is stored on
the server and executed every time the page is viewed by any user. This can lead to a
widespread compromise of the system and its users.
To prevent XSS attacks, it is essential to sanitize user input and encode any special characters to
prevent them from being interpreted as code. Web developers can use security libraries and
frameworks to automatically sanitize inputs, and web application firewalls can be used to detect
and block XSS attacks. Additionally, users can protect themselves by using browser extensions
that block XSS attacks and avoid clicking on suspicious links or downloading unknown files.
23
Scenario #1:
The application server comes with sample applications that are not removed from the
production server. These sample applications have known security flaws attackers use to
compromise the server. If one of these applications is the admin console and default accounts
weren’t changed, the attacker logs in with default passwords and takes over.
Scenario #2:
Directory listing is not disabled on the server. An attacker discovers they can simply list
directories. They find and download the compiled Java classes, which they decompile and
reverse engineer to view the code. The attacker then finds a serious access control flaw in the
application.
Scenario #3:
The application server’s configuration allows detailed error messages, e.g. stack traces, to be
returned to users. This potentially exposes sensitive information or underlying flaws, such as
component versions. They are known to be vulnerable.
Scenario #4:
A cloud service provider has default sharing permissions open to the Internet by other CSP
users. This allows stored sensitive data to be accessed within cloud storage.
Types of XSS
According to OWASP, there are three types of XSS:
24
Insecure Deserialization
Insecure Deserialization is a process that involves transforming an object’s state into a sequence of
bytes that can be transmitted or stored over a network. Deserialization is the reverse process of
reconstructing an object from its serialized form.
Insecure deserialization can allow attackers to manipulate the data being deserialized and execute
arbitrary code on the server or client side. This vulnerability can result in a range of attacks,
including remote code execution, privilege escalation, and denial of service.
Attackers can exploit insecure deserialization by tampering with serialized data in transit or by
sending maliciously crafted serialized data to a vulnerable application. This can result in the
execution of unintended code or the creation of unintended objects, leading to a variety of security
issues.
To prevent the system from insecure deserialization vulnerability, it is important to validate and
sanitize all the insecure and untrusted data before we deserialize it. Also, developers should only be
focusing on deserializing data from trusted sources and ensure that they are using secure
serialization frameworks that provide safeguards against common deserialization attacks.
Scenario #1: A React application calls a set of Spring Boot microservices. Being functional
programmers, they tried to ensure that their code is immutable. The solution they came up with is
serializing the user state and passing it back and forth with each request. An attacker notices the
“R00” Java object signature and uses the Java Serial Killer tool to gain remote code execution on the
application server.
Scenario #2: A PHP forum uses PHP object serialization to save a “super” cookie, containing the
user’s user ID, role, password hash, and other states:
a:4:{i:0;i:132;i:1;s:7:”Mallory”;i:2;s:4:”user”;
I:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960”;}
25
An attacker changes the serialized object to give themselves admin privileges:
26
a:4:{i:0;i:1;i:1;s:5:”Alice”;i:2;s:5:”admin”;
I:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960”;}
One of the attack vectors presented by OWASP regarding this security risk was a super cookie
containing serialized information about the logged-in user. The role of the user was specified in this
cookie.
If an attacker is able to deserialize an object successfully, then modify the object to give himself an
admin role, they can serialize it again. This set of actions could compromise the whole web
application.
The use of third-party components is common in software development, as it helps developers save
time and effort by not having to create every component from scratch. However, using these
components can also introduce security risks into the application, as the vulnerabilities in the
component can be exploited by attackers.
To reduce the risk of using elements with known vulnerabilities, developers should always keep
their software components updated to date by applying security patches and updates as soon as they
become available. It's also important to monitor the security of the components used in an
application, especially if they are open-source, and to have a process in place for quickly identifying
and addressing any vulnerabilities that may arise. Additionally, developers should carefully vet and
review any third-party components before integrating them into their applications to ensure that they
are secure and reliable.
27
Vulnerable Applications
According to OWASP Vulnerable applications are usually if:
• You do not know the versions of all components you use (both client-side and server-side). This
includes all the nested dependencies as well as components you directly use.
• The software is vulnerable, unsupported, or maybe out of date. This will include the OS,
web/application server, database management system (DBMS), applications, APIs and all
components, runtime environments, and libraries.
•There is no fixing or upgrading of the underlying platform, frameworks, and dependencies in a risk-
based, timely fashion. This commonly takes place in environments where patching is a monthly or
quarterly task under change control, which leaves organizations open to many days or months of
unnecessary exposure to fixed vulnerabilities.
• The software developers do not test the compatibility of the libraries that are updated, upgraded, or
patched.
• You do not secure the components’ configurations.
Scenario #1: An open-source project forum software run by a small team was hacked using a flaw
in its software. The attackers managed to wipe out the internal source code repository containing the
next version and all of the forum contents. Although the source could be recovered, the lack of
monitoring, logging, or alerting led to a far worse breach. The forum software project is no longer
active as a result of this issue.
Scenario #2: An attacker scans for users with a common password. They can take over all accounts
with this password. For all other users, this scan leaves only one false login behind. After some
days, this may be repeated with a different password.
Scenario #3: A major U.S. retailer reportedly had an internal malware analysis sandbox analyzing
attachments. The sandbox software had detected potentially unwanted software, but no one
responded to this detection. The sandbox had been producing warnings for some time before
detecting the breach due to fraudulent card transactions by an external bank.
3.2 ANALYSIS
With the increasing adaptation to technology, especially in the form of IoT devices, networks
are becoming more vulnerable to security threats. Hence, Vulnerability Assessment and
Penetration Testing (VAPT) plays a very important role in ensuring the security of networks.
By conducting VAPT, organizations can easily identify and address various types of
vulnerabilities in their applications and networks. There are multiple sectors today that invest
heavily in improving their security systems, and VAPT services are a significantly dependable
measure to protect networks from hackers and cybercriminals.
29
Fig 2: Steps involved in VAPT. [8]
https://www.guru99.com/vulnerability-assessment-testing-analysis.html
Identifying vulnerabilities: The first and primary goal of a VAPT is to detect vulnerabilities
in an organization's systems and networks. This includes the vulnerabilities in operating
systems, software applications, network devices, and other components that can be exploited
by attackers and they can gain access to the organization's network or data.
Testing security controls: The vulnerability assessment and penetration testing can be applied
to examine the effectiveness of an organization’s security control, including intrusion
detection systems, firewalls, and antivirus software. In order to determine whether the
measures taken while performing VAPT are correct and sufficient enough to protect against
potential threats.
30
Evaluation of incident response procedures: A VAPT can also be used for the evaluation of
an organization's incident response procedures. This involves testing on the steps that how
well the organization is able to detect, contain, and respond to security incidents.
Measuring compliance with regulations: A VAPT can also help organizations measure their
compliance with relevant regulations, such as HIPAA or PCI-DSS. This involves identifying
areas of non-compliance and developing recommendations for addressing them.
Overall, the main aim of a VAPT is to provide the organization with a better understanding
of its security posture and help them improve it by finding out and addressing the
vulnerabilities and the bugs in its systems and the network, and also by conducting a proper
test to measure the effectiveness of its security controls and the incident response strategy.
3.2.2 Scope
4. Web applications: The VAPT also includes testing of all web applications that are
31
made available all over the internet or internal network.
5. Mobile applications: Any mobile application that the company might have, should
also be included in the APT.
7. Physical security: If the VAPT includes physical security testing, it should cover all
physical access points to the organization's facilities, including doors, windows, and
other entry points.
The scope of a VAPT is carefully defined and is targeted to ensure that all relevant systems
and networks are tested, and that the testing is conducted in a manner that is completely safe,
and compliant with any relevant regulations or standards in particular. Additionally, the
scope of the VAPT is reviewed periodically to ensure that it remains relevant and up-to-date
in the face of changing threats and technologies.
Black box testing: Testing from an external network with no prior knowledge of the internal
network and systems.
Grey Box Testing: Testing from either external or internal networks with the knowledge of
the internal network and the system. It’s the combination of both black and white box testing.
White Box testing: Testing within the internal network with the knowledge of the internal
network and system. Also known as Internal Testing
While performing a VAPT it is very important to have the complete information stored with
you to perform the assessment. Information gathering helps the tester to know about the
target system and about the application we are going to test. There are a few key activities
and point that are important to know when gathering information :
Network Scanning: The very first step is to have a complete scanning of the network to
identify the target system and the applications that are being tested. This can be done using
tools such as Nmap, Netdiscover, and Angry IP Scanner.
32
Port Scanning: After the target systems have been scanned and identified, the next step is to
scan the ports on those systems to determine which services are running and which ports are
open. Port scanning can be achieved using tools such as Nmap, Masscan, and Hping.
Service Identification: Once the port scanning is completed and open ports have been detected,
the tester attempt to identify the services that are running on those ports. This provides
important information about the victim’s systems. This can be achieved using tools such as
BannerGrab, Netcat, and Telnet.
OS Fingerprinting: To learn more about potential vulnerabilities, the tester will also attempt to
determine the operating system being used by the targeted systems. Nmap, P0f, and Xprobe2
are a few tools that can be used for this..
Web application fingerprinting: If the testing will involve web applications, the tester will also
make an effort to identify the kind of web server and the framework being used, since this
might provide useful information about potential vulnerabilities. Tools like WhatWeb,
Wappalyzer, and NetCraft can be used for this.
Social engineering: In order to learn more about the target organization's employees and
security measures, the information collection step may also use social engineering methods
like phishing emails or phone calls.
Spider the web application: once the target has been identified, the next step is
to spider the web application. This step will involve using Burp Suite's spider
tool to crawl the web application and identify all the pages and links on the
website.
Conduct the vulnerability scan: After the spidering is complete, the next step
is to conduct the complete vulnerability scan. Burp Suite provides a scanner
tool that can be used to automatically scan the web application for
vulnerabilities based on the pages and links identified during spidering.
34
3. Vulnerability Analysis
Using burp suite for this step:
o Vulnerability Details Pane: This pane helps in providing detailed
information about the vulnerability, which includes its severity level,
the affected URL, and also the specific parameters that are involved
in the vulnerability. It helps in recommending remediation actions to
fix the vulnerability.
35
Fig 5: Attack Surface Analysis.
4. Reporting
Burp Suite provides many integral features and tools that help in generating
vulnerability assessment reports. Here are some of the key steps that are
involved in generating a report in Burp Suite:
36
The first step is to navigate to the “Issues” tab in Burp Suite. The
issues tab has a complete list of all the issues (vulnerabilities) that are
identified during the scanning process.
Next is to click on the “Report” button in the top right corner of the
“Issues” tab, which opens the “Report Generator” window.
In the “Report Generator” window, select the report templates
needed. Burp Suite provides several built-in report templates,
including HTML, XML, and PDF.
Next I configured the report settings, such as the output file location,
the report title, and the report description.
The last step is to click the “Generate Report” button to generate the report.
Burp Suite will generate a report that includes a summary of the issues,
detailed information about each issue, and recommended remediation actions.
5. Remediation
Remediation is a very important step in the VAPT (Vulnerability Assessment and
Penetration Testing). In this we have to address the vulnerabilities that were
identified during the assessment. Remediation is the last step in the VAPT process,
and it involves taking steps to fix the vulnerabilities found and to work on reducing
the risk of exploitation in future.
Burp Suite
Burp Suite (used most of the times for dynamic analysis of the website and mobile application)
Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is
developed by the company named Portswigger, which is also the alias of its founder Dafydd
38
Stuttard. BurpSuite aims to be an all-in-one set of tools and its capabilities can be enhanced by
installing add-ons that are called BApps.
Burp Suite Modules:
Target
Proxy
Spider
Scanner
Intruder
Repeater
Sequencer
Decoder
Comparer
Extender.
Target:
The Target tool gives you an overview of your target application’s content and functionality,
and lets you drive key parts of your testing workflow. The key steps that are typically
involved in using the Target tab are described below.
Proxy:
The Proxy tool lies at the heart of Burp’s user-driven workflow, and gives you a direct view
into how your target application works “under the hood”. It operates as a web proxy server,
and sits as a man-in-the-middle between your browser and destination web servers. This lets
you intercept, inspect and modify the raw traffic passing in both directions.
Fig 6: Proxy
Spider
39
Burp Spider is a tool for automatically crawling web applications. You can use this in
conjunction with manual mapping techniques to speed up the process of mapping an
application's content and functionality.
Fig 7: Spider
Scanner
Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It
is designed to be used by security testers, and to fit in closely with your existing techniques
and methodologies for performing manual and semi-automated penetration tests of web
applications.
Fig 8: Scanner
Intruder
Burp Intruder is a tool for automating customized attacks against web applications. It is
extremely powerful and configurable and can be used to perform a huge range of tasks, from
simple brute-force guessing of web directories to active exploitation of complex blind SQL
injection vulnerabilities.
40
Fig 9: Intruder
Repeater
Burp Repeater is a simple tool that helps in manual manipulating and reissuing of individual
HTTP requests, and analyze the application’s responses. You can use Repeater for all kinds of
purposes, such as changing parameter values to test for input-based vulnerabilities, issuing
requests in a specific sequence to test for logic flaws, and reissuing requests from Burp
Scanner issues to manually verify reported issues.
Decoder
Burpsuite Decoder can be said as a tool which is used for transforming encoded data into its
real form, or for transformation of raw data into various encoded and hashed forms. This tool
helps in recognition of several encoding formats using defined techniques. Encoding is the
process of putting a sequence of character’s (letters, numbers, punctuation, and symbols) into a
specialized format which is used for efficient transmission or storage. Decoding is the opposite
process of encoding the conversion of an encoded format back into the original format.
Encoding and decoding can be used in data communications, networking, and storage.
43
3.4 SYSTEM DEVELOPMENT CYCLE
We must understand the Software Development Life Cycle (SDLC) idea in order to
produce software or any other type of product. The SDLC can help in the context of
VAPT to make sure that the project is handled successfully and that the eventual
VAPT solution is developed in a systematic and consistent manner. A simple way to
implement SDLC in VAPT project can be using Waterfall method:
45
Implementation: In this phase, the VAPT team executes the testing plan, using the
selected tools and methodologies to identify and evaluate vulnerabilities in the
target systems and applications.
Testing: During this step, the VAPT team evaluates the testing results, ensuring
that all vulnerabilities have been found and resolved and that the overall VAPT
solution fulfils the objectives that were established.
Deployment: During this step, the suggested security controls and measures are put
into place in order to address the vulnerabilities that discovered during the testing
phase. The deployment process is crucial because it entails closing security gaps
and addressing vulnerabilities found during testing, which lowers the system or
application's overall risk.
Maintenance: This stage mostly comprises VAPT's post-completion work.
Because threats and vulnerabilities can vary over time, security controls and
procedures must be updated and maintained to stay up with those changes. This is
why the maintenance phase is vital.
46
Chapter 04: PERFORMANCE ANALYSIS & RESULTS
47
The technical impact of a NoSQL injection vulnerability is important as an attacker can bypass
authentication and gain access to the admin user account. This access allows the attacker to
manipulate orders, products, modify, and delete data, ultimately leading to full ownership of the
website.
To remediate this vulnerability, it is crucial to ensure that NoSQL API calls are constructed
without unsensitized data using techniques such as existing escaping libraries. Although NoSQL
databases
48
4.2.2 Admin Credentials Exposed
Description: In this testing, the admin credentials are exposed and publicly available hackers
can get these credentials via fuzzing or even content discovery and can easily get access to
the complete admin account.
Description: The source code of the application is exposed publicly and accesssible to
anyone.
Technical Impact: The Source code of application is accessible publically. Attacker can read,
observe and can find vulnerability via disclosed source code.
Remediation: Before deploying the production check for sensitive data and directory.
49
4.2.4 Price Manipulation leads to free product purchase
Description: This business logic vulnerability enables hackers to purchase any product for
free.
Affected Parameter: totalPrice
50
Chapter 05: CONCLUSION
5.1 CONCLUSION
51
REFERENCES
[1] B. Zhou, B. Sun, T. Zang, Y. Cai, J. Wu, and H. Luo, "Security Risk Assessment
Approach for Distribution Network Cyber Physical Systems Considering Cyber
Attack Vulnerabilities," in IEEE Access, vol. 8, pp. 234443-234454, 2020, doi:
10.1109/ACCESS.2020.3041243.
[2] Image 1: https://www.netrika.com/services/information-security/security-testing-
vapt-network-application-and-web-security
[3] P. Kashyap, V. Selvarajah,” Analysis of Different Methods of Reconnaissance”,in
ICII 2021, https://doi.org/10.2991/ahis.k.210913.064
[4] Goel, Jai Narayan and Babu M. Mehtre. “Vulnerability Assessment & Penetration
Testing as a Cyber Defence Technology.” Procedia Computer Science 57 (2015):
https://doi.org/10.1016/J.PROCS.2015.07.458.
[5] "Volume (2): Proceeding papers," 2017 Eighth International Conference on
Intelligent Computing and Information Systems (ICICIS), Cairo, Egypt, 2017, pp. 1-
6, doi: 10.1109/INTELCIS.2017.8260018.
[6] G. Simran T, Sasikala D, “Vulnerability Assessment of Web Application using
Penetration testing”, ISSN: 2277-3878, Volume-8 Issue-4, November 2019
[7] A. Almaarif and M. Lubis. 2021. “Vulnerability Assessment and
PenetrationTesting (VAPT) Framework: Case Study of Government’s Website”. Int.
Journalon Advanced Science Engineering Information Technology vol. 10 (5), ISSN:
2088-5334.