Web Application

Penetration Testing Report for ​

bWAPP; IP: 127.0.0.1 (Running on LocalHost)
v.1.0

By,

Muaz Ibn Masud; [email protected]

On, bWAPP; Localhost Server

*This report is not completely accurate, as that is impossible.

This document contains sensitive information about the computer security environment, practices, current vulnerabilities, and weaknesses in the client security
infrastructure, as well as proprietary tools and methodologies developed or used by me (Muaz). Reproduction or distribution of this document must be approved
by either the client or me (Muaz Ibn Masud). This document is subject to the terms and conditions of a non-disclosure agreement between me (Muaz) and the
client (instractor Imtiaz)
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-2
for XYZ

Report Details

Title Web Application Penetration Testing Report for XYZ

Project Resource Muaz Ibn Masud

Project Duration DD-MM

Report History

Version Date

v1.0 DDDD

Table of Content:
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-3
for XYZ
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-4
for XYZ

1.​Executive Summary
This document constitutes the final report for the web application penetration test performed on your domain, executed
during the period of time that spans from the project's 7-day dateline . The Grey Box assessment was conducted against
the production environment with all limitations.

The objective of this service was to proactively discover flaws, weaknesses, and vulnerabilities that could lead to critical
service interruption or compromise of sensitive systems and data. By providing details on vulnerabilities and specific
remediation guidance, our intent is to help Audit Solution protect its business-critical application and data.

1.1​Project Timeline
The penetration test was performed on bWAPP between 11/2/2025. Domains was tested for 4 work hours. Reporting
took at all 10-14 work hours.

1.2​Scope
We have performed a web application penetration testing exercise on the following scope: URL : A
Web App (bWAPP)

1.3​Overall Risk Severity: Critical

Overall Risk Severity

HIGH MEDIUM HIGH CRITICAL

MEDIUM LOW MEDIUM HIGH

Impact
LOW NOTE LOW MEDIUM

** LOW MEDIUM HIGH

LIKELIHOOD

1.4​Assumptions and constraints

New vulnerabilities and risks are discovered and also made public. As the environment changes, an organization’s overall
security posture will change. Such changes may affect the validity of this letter.

Any outcome of the services performed is limited to a point-in-time examination of the environments tested. I does not
constitute any form of representation, warranty, or guarantee that the systems are 100% secure from every form of attack.
While my methodology includes automated and manual testing to identify and attempt the most common security issues,
testing was limited to an agreed-upon timeframe. It is possible that not every vulnerability identified by our scanning
platform was tested during this engagement.

●​ Denial of service issues that could potentially disrupt the Client environment was not tested
●​ Social engineering attacks & Information Reconsis were not in scope for this assessment.
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-5
for XYZ

2.​Methodology
Our penetration testing methodology is grounded on the following guides and standards:

●​ Penetration Testing Execution Standard

●​ OWASP Top 10 Application Security Risks, 2021
●​ OWASP Testing Guide 4.2
●​ OWASP ASVS 4.0.3
Among the checks performed over the Web application, the following checks related to the most common vulnerabilities
(OWASP Top 10 and MITRE Attack Framework) were included: A01:2021-Broken Access Control

Access controls enforce policies so that users cannot act outside of their intended permissions. Failures typically lead to
unauthorized information disclosure or modification, destruction of data, or performing a business function outside the
user’s limits.

A02:2021-Cryptographic Failures​
Cryptographic failures involve protecting data in transit and at rest. This includes passwords, credit card numbers, health
records, personal information, and business secrets that require extra protection, especially if that data falls under privacy laws
such as GDPR or regulations like PCI Data Security Standard (PCI DSS) for financial data.

A03:2021-Injection
Injection, which now includes cross-site scripting, occurs when untrusted data is sent to an interpreter as part of a
command or query, tricking the interpreter into executing unintended commands or accessing data without proper
authorization.

A04:2021-Insecure Design
Insecure Design focuses on risks related to design flaws. This means using more threat modeling, secure design patterns
and principles, and reference architectures to shift security left. It is a broad category representing many different
weaknesses.

A05:2021-Security Misconfiguration
This category includes missing security hardening across any part of the application stack, improperly configured
permissions on cloud services, any unnecessary features that are enabled or installed, and unchanged default accounts or
passwords. The former category XML External Entities (XXE) is now included in Security Misconfiguration.

A06:2021-Vulnerable and Outdated Components

This category includes any software that is vulnerable, unsupported, or out of date. If you do not know the versions of your
components—including all direct and indirect dependencies—or you do not regularly scan and test your components, you
are likely at risk.​

A07:2021-Identification and Authentication Failures

Security risk occurs when a user’s identity, authentication, or session management is not handled correctly, allowing
attackers to exploit passwords, keys, session tokens, or implementation flaws to assume users’ identities temporarily or
permanently.
A08:2021-Software and Data Integrity Failures
Software and Data Integrity Failures refer to code and infrastructure that fails to protect against integrity violations. This
includes software updates, critical data, and CI/CD pipelines that are implemented without verification. An example of
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-6
for XYZ

this includes objects or data encoded or serialized into a structure that an attacker can modify.

A09:2021-Security Logging and Monitoring Failures

This category includes errors in detecting, escalating, and responding to active breaches. Without logging and monitoring,
breaches cannot be detected. Examples of insufficient logging, detection, and monitoring include not logging auditable
events like logins or failed logins, warnings and errors that generate inadequate or unclear log messages, or logs that are
only stored locally.

A10:2021-Server-Side Request Forgery (SSRF)​

Server-Side Request Forgery occurs when a web application fetches a remote resource without validating the user- supplied
URL. An attacker can coerce the application to send a crafted request to an unexpected destination, even when protected by a
firewall, VPN, or another type of network ACL.

As a baseline for testing, the OWASP Application Security Verification Standard 3.0 was used, and the security
verification level applied was ASVS Level 1 (Opportunistic).

3.​Testing Approach
Web application penetration testing is comprised of five main steps, including information gathering, research and
exploitation, reporting and recommendations, and remediation with ongoing support. These tests are performed primarily
to maintain secure software code development throughout its lifecycle. Coding mistakes, specific requirements, or lack of
knowledge in cyber-attack vectors are the main purpose of performing this type of penetration test.​

​
Image of OWASP Top 10 by Certera​
Pre-engagement phase of Pen-testing
Determining the scope of the penetration test ensures that both the target and the tester know what to expect from the test.
There are certain assets that the pen testers are allowed to test, those are within the scope of the pen test, others are not.
Similarly, the target organization’s security posture is tested for a predetermined set of vulnerabilities, anything out of that
set is out of scope for the pen test.
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-7
for XYZ

3.1​Discovery
The discovery phase can be divided into two parts:

●​ Further information gathering: This first part involves gathering more information about the target network
using a bunch of different techniques. Hackers can uncover host-names and IP information using techniques like
DNS interrogation, network sniffing etc.
●​ Vulnerability Scan: This part consists of testing the application or the operating system for known
vulnerabilities. You can get an automated scan where the system is tested against a
vulnerability database.

3.2​Vulnerability Analysis
Upon understanding the critical control points within the system, the pen tester can then minutely examine the
probable attack vectors.

This involves scanning the target application for vulnerabilities using scanners such as Zed Attack Proxy (ZAP), Burp
Suite Pro, or Nessus to understand how the application responds to various intrusion attempts and identify security
loopholes.

3.3​Automated Application Testing

We used several commercial tools to survey the targeted environment and identify potential vulnerabilities. The
automated scanning software identifies application-level vulnerabilities. The scope of testing includes, but is not limited
to, the following:

●​ OS Command Injection
●​ SQL Injection
●​ Cross-Site Scripting
●​ Clickjacking
●​ LFI/ RFI
●​ File Upload
●​ Buffer Overflow
●​ Path Manipulation
●​ Site Search
●​ Directory Traversal
●​ Authorization Assessment
●​ Brute Force Authentication attacks

3.4​Manual Application Testing

Using the information produced by the automated testing software, we also employed manual testing techniques to
identify and attempt exploiting additional vulnerabilities in the targeted application and to eliminate false positives
produced by the automated scanning process. The assessment was conducted in accordance with the best-in-class
practices as defined by such methodologies as ISECOM's Open-Source Security Testing Methodology Manual
(OSSTMM) and the Open Web Application Security
Project (OWASP).
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-8
for XYZ

I performed the following actions as part of this testing:

●​ Observed types and placement of security controls

●​ SSL/TLS certification strength check
●​ Finding components version
3.5​Reporting & Recommendations
All the previous penetration testing phases contribute to this phase, where a VAPT report is created and shared with the
client. In the reporting phase, the pen testers provide detailed information about the vulnerabilities, such as,

●​ The description of the vulnerabilities.

●​ Ratings according to a common vulnerability scoring system.
●​ Severity and impact of vulnerability.
●​ Risk assessment report.
●​ POCs.
●​ Recommendations for fixing the vulnerabilities.

OWASP ASVS Checklist for Information Gathering​

Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-9
for XYZ

No Test Name Result

1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage N/A
2 Fingerprint Web Server Pass
3 Review Webserver Metafiles for Information Leakage Issues
4 Enumerate Applications on Webserver Issues
5 Review Webpage Comments and Metadata for Information Leakage Issue
6 Identify application entry points Issue
7 Map execution paths through application Issue
8 Fingerprint Web Application Framework Pass
9 Fingerprint Web Application Pass
Map Application Architecture
10 Issue

Configuration and Deploy Management Testing

No Test Name Result
1 Test Network/Infrastructure Configuration Issue
2 Test Application Platform Configuration Issue
3 Test File Extensions Handling for Sensitive Information Pass
4 Backup and unreferenced files for Sensitive Information Issues
5 Enumerate Infrastructure and Application Admin Interfaces Pass
6 Test HTTP Methods Pass
7 Test HTTP Strict Transport Security (CVE-2024-49797) Issues
8 Test RIA cross-domain policy (CVE-2021-41557) Issue

Identity Management Testing

No Test Name Result

1 Test Role Definitions N/A
2 Test User Registration Process Issue (Weak)
3 Test Account Provisioning Process Pass
4 Testing for Account Enumeration and Guessable User Account (CVE-2004-0082) Issues
5 Testing for Weak or unenforced username policy (CVE-2024-42173) Issue
6 Test Permissions of Guest/Training Accounts Pass
7 Test Account Suspension/Resumption Process Issue
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-10
for XYZ

Authentication Testing
No Test Name Result
1 Testing for Credentials Transported over an Encrypted Channel (CVE-2024-43798) Issue
2 Testing for default credentials (CVE-2025-0890) Pass
3 Testing for Weak lock out mechanism (CVE-2017-7551) Issues
4 Testing for bypassing authentication schema Pass
5 Test remember password functionality Issue
6 Testing for Browser cache weakness Pass
7 Testing for Weak password policy (CVE-2022-37164) Issue (9.8/10)
8 Testing for Weak security question/answer N/A
9 Testing for weak password change or reset functionalities N/A
10 Testing for Weaker authentication in alternative channel N/A

Authorization Testing
No Test Name Result
1 Testing for Credentials Transported over an Encrypted Channel Issue
2 Testing for default credentials (CVE-2025-0890) Pass
3 Testing for a weak lockout mechanism (CVE-2017-7551) Issues
4 Testing for bypassing authentication schema Pass

Session Management
No Test Name Result
1 Testing for Bypassing Session Management Schema Pass
2 Testing for Cookies attributes (CVE-2023-45141) Issues
3 Testing for Session Fixation Pass
4 Testing for Exposed Session Variables (CVE-2024-55556) Issues
5 Testing for Cross Site Request Forgery (CVE-2024-9661) Issues
6 Testing for logout functionality Pass
7 Test Session Timeout Issues
8 Testing for Session puzzling N/A
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-11
for XYZ

Data Validation Testing

No Test Name Result
1 Testing for Reflected Cross Site Scripting (CVE-2024-55268) Issue
2 Testing for Stored Cross-Site Scripting (CVE-2024-13440) Issue
3 Testing for HTTP Verb Tampering Issue
4 Testing for HTTP Parameter Pass
5 Testing for SQL Injection (CVE-2025-1116) Issue
6 Oracle Testing N/A
7 MySQL Testing Pass
8 SQL Server Testing Pass
9 Testing PostgreSQL N/A
10 MS Access Testing N/A
11 Testing for NoSQL injection N/A
12 Testing for LDAP Injection N/A
13 Testing for ORM Injection N/A
14 Testing for XML Injection Pass
15 Testing for SSI Injection N/A
16 Testing for XPath Injection (CVE-2024-39565) Issue
17 IMAP/SMTP Injection N/A
18 Testing for Code Injection Issue
19 Testing for Local File Inclusion Pass
20 Testing for Remote File Inclusion Pass
21 Testing for Command Injection Issue
22 Testing for Buffer overflow N/A

Error Handling
No Test Name Result
1 Analysis of Error Codes Issues
2 Analysis of Stack Traces N/A

Cryptography
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-12
for XYZ

No Test Name Result

1 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Pass
2 Testing for Padding Oracle Pass
3 Testing for Sensitive information sent via unencrypted channels Issues

Business logic Testing

No Test Name Result
1 Test Business Logic Data Validation Issues
2 Test Ability to Forge Requests Pass
3 Test Integrity Checks Pass
4 Test for Process Timing Issues
5 Test Number of Times a Function Can be Used Limits Issues
6 Testing for the Circumvention of Work Flows N/A
7 Test Defenses Against Application Mis-use Issues
8 Test Upload of Unexpected File Types (CVE-2024-34346) Issues
9 Test Upload of Malicious Files (CVE-2024-57248) Issues
Client Side Testing
No Test Name Result
1 Testing for DOM based Cross Site Scripting Issue
2 Testing for JavaScript Execution (CVE-2025-0982) Issue
3 Testing for HTML Injection Issue
4 Testing for Client Side URL Redirect Pass
5 Testing for CSS Injection Pass
6 Testing for Client Side Resource Manipulation N/A
7 Test Cross Origin Resource Sharing N/A
8 Testing for Cross Site Flashing N/A
9 Testing for Clickjacking (CVE-2024-9397) Issue
10 Testing WebSocket N/A
11 Test Web Messaging N/A
*Not all CVE (Common Vulnerabilities and Exposures) are 100% accurate.

4.​Risk Rating
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-13
for XYZ

Each weakness has its own CVSS 3 base score rating (Common Vulnerability Scoring System Version 3 Calculator).1,2
Based on the CVSS 3 base score, the following weakness assessment is performed:

0.0 - 3.9 Low

4.0 - 6.9 Medium

7.0 - 8.9 High

9.0 - 10.0 Critical

RISK RATING DESCRIPTION

CRITICAL Weaknesses classified as Critical can be exploited with very little effort by an attacker.

HIGH Severe issues that can easily be exploited to immediately impact the environment.

Moderate security issues that require some effort to successfully impact the
MEDIUM environment.

LOW Security issues that have a limited or trivial impact to the environment.

5.​
5. Summary of Findings

Risk Level Vulnerability Name OWASP TOP 10 CVSS Score

Critical (C) Admin Password Reset Vulnerability A02:2021-Broken Authentication 9

High (H) Weak Password Acceptance A02:2021-Broken Authentication 7

High (H) Malicious File Upload A01:2021-Injection 8.5
High (H) CSRF Token Not Tied to User Session A08:2021-Insecure Deserialization 8
Medium (M) Weak Lockout Mechanism A02:2021-Broken Authentication 6.5
Medium (M) Source Code Exposure A03:2021-Sensitive Data Exposure 5.5
Medium (M) Improper Error Handling A07:2021-Security Misconfiguration 5
Medium (M) HTTP/S Only Flag Missing A05:2021-Security Misconfiguration 5.5
Medium (M) No Session Timeout A02:2021-Broken Authentication 6
Medium (M) Password Sent in Cleartext A03:2021-Sensitive Data Exposure 5.5
Low (L) Exposed Session Variables A03:2021-Sensitive Data Exposure 4
Low (L) Coordinator Cannot Access Project Page A07:2021-Security Misconfiguration 3
Low (L) OTP Processing Time Delay A04:2021-Insecure Design 3.5
Low (L) URL Management Issues A05:2021-Security Misconfiguration 4

Vector String:​
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-14
for XYZ

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:L/MPR:N/MUI:N/MC:L/MI:L/MA:H

Admin Password Discloser

CVSS Score : 9.3

Risk Critical |

Locations(s) /

Issue Details Admin password changed by changing id and brute-forcing old password simultaneously.

Impact The attacker can change the admin's password.

CVE CWE-640

Recommendation Make the change-password page non-accessible by ID.

​ ​
Weak Password Machanism
CVSS Score : 7

Risk High |

Locations(s) /

A weak password is short, common, a system default, or something that could be rapidly
guessed by executing a brute force attack using a subset of all possible passwords, such as
Issue Details
words in the dictionary, proper names, words based on the user name or common variations
on these themes.

Weak passwords can be easily guessed and are an easy target for brute force attacks. This
Impact can lead to an authentication system failure and compromise system security.
Authentication is an important aspect of security.

CWE-1008
CVE
CWE-1003

●​ Use longer passwords. ...

●​ Do not reuse passwords. ...
●​ Do not use personal information. ...
Recommendation
●​ Change passwords in the event of a compromise. ...
●​ Check passwords against a list of commonly used, expected, or compromised
passwords. ...
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-15
for XYZ

6.3 H02 Malicious File Upload CVSS Score : N/A

Risk High |

N/A
Locations(s)

File upload vulnerabilities are when a web server allows users to upload files to its
filesystem without sufficiently validating things like their name, type, contents, or size.
Failing to enforce restrictions on these properly could mean that even a basic image upload
Issue Details function can be used to upload arbitrary and potentially dangerous files instead. This could
even include server-side script files that enable remote code execution.

A malicious file can be responsible for taking over complete system, an overloaded file
system or database, forwarding attacks to back-end systems, client-side attacks, or simple
defacement.Uploading malicious files can make the website vulnerable to client-side
Impact attacks such as XSS or Cross-site Content Hijacking. Uploaded files might trigger
vulnerabilities in broken libraries/applications on the client side.

CVE-2001-0901
CVE-2002-1841
CVE CVE-2005-1868
CVE-2005-1881

The web server accepts a file without validating it or keeping any restriction, it is
considered as an unrestricted file upload.So stop accepting a file
Recommendation
without validation.

6.4​H03 CSRF where token is not tied to user session CVSS Score : N/A
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-16
for XYZ

Risk High |

Locations(s) N/A

Issue Details XSRF token is same as before and after login.

In this situation, the attacker can log in to the application using their own account,
Impact
obtain a valid token, and then feed that token to the victim user in their CSRF attack.

CVE CVE-2020-11825

Make sure XSRF token is destroyed after login and new XSRF token is
Recommendation
generated.

6.5​M01 Weak Lock Out Mechanism​ CVSS Score : 6.5

Risk Medium |

Locations(s) /ldap_connect.php

Account lockout mechanisms require a balance between protecting accounts from

unauthorized access and protecting users from being denied authorized access.
Issue Details Accounts are typically locked after 3 to 5 unsuccessful attempts and can only be unlocked
after a predetermined period of time, via a self-service unlock mechanism, or intervention by
an administrator.

If the lockout threshold is not present then the more attempts an attacker can make to brute
Impact
force the account before it will be locked.

CWE-645
CVE
CWE-1216

Time-based lockout and unlock. (Example: After 5 failed login trials, lock out user for 15
minutes).
Recommendation Self-service unlock (sends unlock email to registered email address).
Manual administrator unlock.
Manual administrator unlock with positive user identification.

6.6​M02 Source Code Exposure​ CVSS Score : 5.5

Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-17
for XYZ

Risk Medium |

Locations(s) /js/html5.js

Issue Details The main JavaScript source code file was exposed

An attacker can analyze the source code and find potential vulnerability which might lead to
Impact
potential attacks.

CVE-2002-0840
CVE
CVE-2002-1156

Recommendation Make all source code js file restricted.

6.7​M03 Improper Error Handling​ CVSS Score : 5.0

Risk Medium |

Locations(s) All pages under /

Issue Details Stack trace, laravel debug mode is displayed in case of error.

A stack trace is an information leak, which reveals information about web application
implementation. Whilst not a serious vulnerability, it does allow an attacker to gain certain
Impact
information about the system. It may also allow them to use a debugging-based approach to
exploiting flaws in the site.

CVE

Implement custom error pages by applying changes on the web.config file.

Recommendation

6.8​M04 HTTPOnly Flag Missing​ CVSS Score : 5.5

Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-18
for XYZ

Risk Medium |

Locations(s) All Pages under /, /smgmt_cookies_httponly.php

Issue Details HttpOnly flag was not set for session cookie.

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set
by client-side JavaScript. This measure makes certain client-side attacks, such as
Impact
cross-site scripting, slightly harder to exploit by preventing them from trivially capturing
the cookie's value via an injected script.

CVE CVE-2018-12302

Recommendation Set httpOnly to true for session cookies.

6.9​M05 No Session Time-Out​ CVSS Score : 6.0

Risk Medium |

Locations(s) /login.php

Session timeout is a fairly popular option that needs to be used carefully.It is used to
Issue Details determine how long a device may remain authenticated on a switchport before it must
perform authentication again.

A web application should invalidate a session after a predefined idle time has passed (a
Impact timeout) and provide users the means to invalidate their own sessions (logout). These simple
measures help to keep the lifespan of a session ID as short as possible.

CVE CWE-613

If you have not been doing anything on the page for a set length of time (often 30 minutes),
Recommendation
the server times out your session.

6.10​M06 Password Sent In Cleartext​ CVSS Score : 5.5

Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-19
for XYZ

Risk Medium |

Locations(s) /login.php, /htmli_get.php, /htmli_post.php, /sqli_1.php, /smgmt_cookies_httponly.php

Issue Details User credentials are transmitted over an unencrypted channel.

The software transmits sensitive or security-critical data in cleartext in a

Impact
communication channel that can be sniffed by unauthorized actors.

CWE-1000
CVE
CWE-699

User credentials are considered sensitive information and should always be transferred to
Recommendation
the server over an encrypted connection (HTTPS).

6.11​ L01 Exposed Session Variables​ CVSS Score : N/A

Risk Low |

Locations(s) N/A

Session ID variables were base64 encoded, thus it was easily decoded, and the ID values
Issue Details
were exposed.

Impact An attacker can use these data to construct an attack.

CWE-200
CVE
CWE-488

Use 2 type of encryption algorithms recursively, and outer encryption should not be base64.
Recommendation

6.12 Io1 Coordinator Cannot Access Project Page

Risk Info |

Locations(s) N/A

When an admin/auditor assigns any project to the coordinator, then this assigned
Observation
coordinator cannot access this project.

Recommendation It needs to be proper project role management.

Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-20
for XYZ

6.13 Io2 OTP Processing Time Delay

Risk Info |

Locations(s) N/A

Observation When an admin/client tries to login, then 2FA OTP takes a lot of time.

Recommendation The time to get OTP should be reduced.

6.13 Io2 OTP Processing Time Delay

Risk Info |

Locations(s) N/A

Observation Our existing URL management is not bad, but we want something better.

Recommendation Our URL management will be better when we use the same folder mechanism.
Web Application Penetration Testing Report​ ​ ​ ​ ​ ​ ​ ​ Page-21
for XYZ

At last,
This penetration test provided valuable information about the bWAPP application's security posture. The identified
vulnerabilities, which range from critical to low-risk, highlight areas that require immediate attention to prevent
potential threats. While this report provides a snapshot of the application's security at the time of testing, security
remains an ongoing process. We strongly advise you to follow the recommendations below and establish a continuous
security improvement cycle.

The key findings and high-level recommendations are summarized in the table below. This report's "Detailed
Findings" section contains comprehensive information and specific remediation steps.