VULNERABILITY ASSESSMENT

AND PENETRATION TESTING

REPORT

FOR
Acunetix
(http://testphp.vulnweb.com/)

FROM
Suyash Naik

1|Page
2|Page
 CONTENTS
1. EXECUTIVE SUMMARY....................................................................................................................... 3
1.1 SUMMARY…..............................................................................................................................3
1.2 OBJECTIVE................................................................................................................................3
1.3 SCOPE........................................................................................................................................3
2. TABULAR SUMMARY….................................................................................................4
3. GRAPHICAL SUMMARY................................................................................................5
4. TECHNICAL REPORT....................................................................................................6
4.1 SQL Injection......................................................................................................................................................... 6
4.2 Cross Site Scripting............................................................................................................................................ 8
4.3 Info. Disclosure with Broken Authentication.....................................................................................10
4.4 Session ID containing user Credentials.................................................................................................11
4.5 Detailed Error.................................................................................................................................................... 12
4.6 User credentials send in clear text...........................................................................................................13
4.7 Missing Functional Level Access............................................................................................................... 14
4.8 Cross Site Request Forgery.......................................................................................................................... 15
4.9 Business Logic Testing.................................................................................................................................. 16
4.10 Cookie not marked as http only.................................................................................................................17
4.11 Trace Method Enabled................................................................................................................................... 18
4.12 Directory Listing….................................................................................................................19
4.13 Auto Complete Forms….........................................................................................................20
5. CONCLUSIONS......................................................................................................................................21

3|Page
 1 SUMMARY

1.1 EXECUTIVE SUMMARY

INSTITUTE OF INFORMATION SECURITY (IIS) has assigned the task of vulnerability assessment and
penetration testing (VAPT) of [http://testphp.vulnweb.com/][Acunetix].

This VAPT was performed during 28-March-2022 to 30-March-2022. The detailed report and our
findings are described below.

1.2 OBJECTIVE

The objective of this test was to determine security vulnerabilities in the web server configuration
and website running on the server. The tests were carried out assuming the identity of an attacker or
with malicious intent. At the same time due care was taken not to harm the web server.

1.3 SCOPE

The scope of our work was limited to only website[http://testphp.vulnweb.com/][Acunetix]. The

vulnerabilities and our findings are described below.

4|Page
 2 TABULAR SUMMARY
The following tables summarize the vulnerability assessment of the server.

Category Description
No. of live host 1
No. vulnerabilities 13
0No. of critical vulnerabilities 3
No. of high vulnerabilities 5
No. of medium vulnerabilities 3
No. of low vulnerabilities 2
Fig 2.1

SNo. Vulnerability name Severity Ease of Exploitation

1 SQL Injection Critical Moderate
2 Cross Site Scripting Critical Moderate
3 Info. Disclosure with Broken Authentication Critical Moderate
4 Session ID containing user Credentials High Moderate
5 Detailed Error High Moderate
6 User credentials send in clear text High Moderate
7 Missing Functional Level Access High Moderate
8 Cross Site Request Forgery High Moderate
9 Business Logic Testing Medium Moderate
10 Cookie not marked as http only Medium Easy
11 Trace Method Enabled Medium Easy
12 Directory Listing Low Easy
13 Auto Complete form Low Easy
Fig 2.2

5|Page
 3 GRAPHICAL SUMMARY
The following pie chart graphically summaries the vulnerability assessment

Vulnerability Assessment
Critical High Medium low

14%
21%

29%

36%

Fig. 3.1

6|Page
 4 TECHNICAL REPORT
4.1 SQL Injection
The SQL Injection occurs when data input by a user is interpreted as a SQL command rather than
as normal data by the backend database.

SEVERITY
Critical

AFFECT ON
Infected URL http://testphp.vulnweb.com/login.php
Infected Parameter login.php
Parameter type Post
Attack vector ‘ or 1=1--

Infected URL http://testphp.vulnweb.com/listproducts.php?cat=1

Infected Parameter version, database, system_user
Parameter type Get
Attack vector http://testphp.vulnweb.com/listproducts.php?
cat=1%20union%20select
%201,version(),3,4,5,6,database(),8,system_user(),10,11

Infected URL http://192.168.0.134/cgi-bin/badstore.cgi?action=register

Infected Parameter email, fullname, passwd, pwdhint, role
Parameter type Post
Attack vector Single-quote

ANALYSIS
1. During the test it was found that “login.php” page was vulnerable to SQL Injection.

Fig 4.1.1 SQL Injection

7|Page
 2. With the SQL query it let us bypass the login page.

Fig. 4.1.2 SQL Injection

3. Listproducts.php was vulnerable to SQL Injection.

Fig. 4.1.3 SQL Injection

IMPACT
Depending on the backend database, database connection settings and the operating system,
an attacker can mount one or more of the following type of attacks successfully:
1. Reading, Updating and deleting arbitrary data from the database.
2. Executing commands on the underlying operating system.
3. Reading, Updating and Deleting arbitrary tables from the database.

REMEDY
8|Page
A very robust method for mitigation of SQL injection is to use parameterized queries.
Whenever possible do not create dynamic SQL queries or SQL queries with string concatenation.
1. Reference: https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

4.2 Cross Site Scripting (XSS)

The Cross Site Scripting occurs when attacker injects malicious javascript code on the webpage.

SEVERITY

Critical

AFFECT ON
Infected URL http://testphp.vulnweb.com/guestbook.php
Infected Parameter Message Box
Parameter type Post
Attack vector <script>alert(“test”)</script>

Infected URL http://testphp.vulnweb.com/search.php?test=query

Infected Parameter Search Box
Parameter type Post
Attack vector <script>alert(document.cookie)</script>

ANALYSIS

1. During the test it was found that “guestbook.php” page was vulnerable to XSS.

Fig 4.2.1 Cross Site Scripting

2. After adding message an alert box popped up on guestbook.php

9|Page
 Fig 4.2.2 Cross Site Scripting

3. Search box is also vulnerable to XSS.

Fig 4.2.3 Cross Site Scripting

4. After clicking “go” an alert box with login cookie is visible.

10 | P a g
e
 Fig 4.2.4 Cross Site Scripting

IMPACT

Depending on the backend database, database connection settings and the operating system,
an attacker can mount one or more of the following type of attacks successfully:
1. Reading, Updating and deleting arbitrary data from the database.
2. Executing commands on the underlying operating system.
3. Reading, Updating and Deleting arbitrary tables from the database.

REMEDY

The HTTP X-XSS Protection header is a feature available in popular browsers like Chrome and
Internet Explorer, which filters suspicious content to prevent reflected XSS attacks. If Header
detects XSS, it will block the page from loading.
1. Use HTTPOnly cookie, this ensures that cookies cannot be accessed by client side scripts.
2. Set HTTPOnly flag on session cookies and any custom cookies that are not accessed by any of
your javascript code.

11 | P a g
e
 5 CONCLUSIONS
Experience has shown that a focused effort to problem outlined in this report can
result in dramatic security improvements. Most of the identified problems do not
required high-tech solutions, just knowledge of and commitment to good practices.

For system to remain secure, however, security posture must be evaluated and
improved continuously. Establishing the organisation structure that will support
these ongoing improvements is essential in order to maintain control of corporate
information systems.

We conclude that the overall security needs to improve. We hope that the issues
cited in this report will be addressed.

21 | P a g e