Ethical Hacking Internship - Technical Report

Intern Name: SARTHAK VIJAY JOSHI

Domain: Ethical Hacking
Batch: 3-4-2025
Company: XYZ Company
Target Application: testphp.vulnweb.com

Introduction
This report documents the penetration testing performed on "testphp.vulnweb.com" as part of
XYZ Company's ethical hacking internship. The objective was to identify security vulnerabilities
within the application and provide recommendations for mitigation.

Techniques Used
• Information Gathering (Reconnaissance)

• Cross-Site Scripting (XSS)

Tools and Frameworks Utilized

• OWASP ZAP- (automated vulnerability scanning tool)

• Kali Linux – (Operating system)

• Nmap- (network scanner)

1.used automated tools for identifying vulnerability
Step1:
open zap proxy to scan the website to identify the vulnerability

Step2:
After scanning the full website is done go to report and generate the report
Step 3:
After clicking generate report fill report title, report name, report location
description then clicks generate report
Step4:
Open the report and focus on the high-risk vulnerabilities
Step 5:
Check the high-risk vulnerability click first xss high-risk vulnerability
Step 6:
After clicking the vulnerability (Cross site scripting) show the possible paths to find
the XSS vulnerability

Step 7:
Check the path , vulnerable Parmeter and attack payload

parameter

payload
Step 8:
open the link and insert the payload to the vulnerable parameter and check the
response if payload run successfully the website is vulnerable with XSS
vulnerability
 POC
1. Executive Summary
This report details a Cross-Site Scripting (XSS) vulnerability discovered in the
http://testphp.vulnweb.com/ web application. The vulnerability allows an attacker
to inject malicious scripts into web pages viewed by other users. This can lead to
session hijacking, defacement, or other malicious activities.
2. Vulnerability Details 2.1 Vulnerability Type
Cross-Site Scripting (XSS)
2.2 Affected Component
2.3 Vulnerability Description
The application does not properly sanitize user input, allowing an attacker to inject
malicious scripts into web pages. These scripts can be executed in the context of
other users' browsers, leading to potential security risks.
3. Proof of Concept
3.1 Steps to Reproduce

1. Open the web application and go to

http://testphp.vulnweb.com/artists.php?artist=1

2. Enter the following payload into the URL parameter

3. <scrIpt>alert("XSSVulnerability”) ;</scRipt>

4. The injected script will execute, displaying an alert box with the message
"XSS Vulnerability".

3.3 Screenshots:
4. Impact
4.1 Potential Risks
• Session Hijacking: An attacker can steal session cookies and impersonate
users.
• Data Theft: Sensitive information can be exfiltrated from the user's browser.
• Defacement: The attacker can modify the appearance of the web page.
• Malware Distribution: Malicious scripts can be used to distribute malware
to users.

4. Recommendations
4.1 Immediate Actions
• Temporary Mitigation: Implement input validation and output encoding to
prevent script injection.
• Monitoring: Monitor for any suspicious activities related to the vulnerable
component.

4.2 Long-Term Solutions

• Input Sanitization: Ensure all user inputs are properly sanitized and
validated.
• Output Encoding: Encode all output to prevent scripts from being executed.
• Security Training: Provide training for developers on secure coding
practices.
• Regular Audits: Conduct regular security audits and penetration testing.

5. Conclusion
The identified XSS vulnerability poses a significant risk to the security of the web
application and its users. Immediate action is required to mitigate the risk and
implement long-term solutions to prevent similar vulnerabilities in the future.