See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/352102973

Vulnerability Assessment of Web Applications and Recommendations for

Actions: Penetration Testing Report

Preprint · September 2016

DOI: 10.13140/RG.2.2.16548.40323

CITATIONS READS

0 6,663

1 author:

Imrana Abdullahi Yari

Friedrich-Alexander-University Erlangen-Nürnberg
13 PUBLICATIONS 453 CITATIONS

SEE PROFILE

All content following this page was uploaded by Imrana Abdullahi Yari on 03 June 2021.

The user has requested enhancement of the downloaded file.

Vulnerability Assessment of Web Applications and Recommendations for
Actions: Penetration Testing Report
Imrana Abdullahi Yari, BSc (2016)
Keywords: web application, vulnerability assessment, penetration testing, information
security, cyber-attacks, SQL injection, cross-site scripting, brute force, OWASP Top 10

Abstract
The objective of this report is to find web application vulnerabilities of a vulnerable application
that was hosted on a VMware Linux machine by using the web dojo VMware machine on the
same network. A thorough investigation of two of the found vulnerabilities will be conducted.
The impacts and probability of the exploitation of each vulnerability found will also be graded
based on the standard vulnerability scoring scheme. Additionally, the vulnerabilities will be
graded according to the consequences of the exploitation identified through the findings.
Moreover, the recommendation for each vulnerability will be provided to mitigate or stop the
threat. Finally, the vulnerability investigation will focus on working mechanisms and novel
ways to protect the entire web application from threats. This report could help any web
application developers, providers, and users to better understand the inherent and possible
security issues of web applications and how to address them.
Introduction
Currently, there is no single system or application that is not vulnerable to attack. In the case
of this study, the vulnerable web application is designed with a weak security policies that
made it susceptible to most vulnerabilities for penetration testing. This report will cover
vulnerable web application penetration test and report. The test report will include twelve
vulnerabilities found, each with an explanation, impact score, the probability of exploitation,
and security mechanism to protect the system against the attack. The investigation will cover
the working mechanism of SQL injection and a novel way to protect against the attack.

Section 1: Web Application Test Report

Executive Summary
At first, the user registration page of the vulnerable web application is developed using
validation techniques that protect the system from a client-side only. Thus, the page is
accessible to parameter tampering of which the attacker can alter the page form field (e.g.,
username, password, email) restrictions to provide a range of space for allocating her/his
malicious activities to exploit the system. Moreover, the page is implemented with weak
password strength and poor forget-password questions; there is no restriction for a user to
provide secure and strong details. Users are often lazy in providing their well-secured and
standard credentials at the time of sign-up when they are not enforced to provide strong
credentials to the system. Also, the user login page is vulnerable to SQL injection, which allows
the attacker to bypass the authentication and authorization procedures to log in to the system
and enable them to add data to the database system.
The message page is designed without good session management. When each user logs in,
her/his session identification variable is static while moving through the pages and does not
1
terminate when he/she logs out from the system as long as the session parameter is exposed.
The attacker can spoof the system authentication and log in to the system. Due to the low-level
control of access mechanisms, a user can view public messages or profiles of other users by
altering URL variables. Moreover, an attacker can save a reflected or stored cross-site scripting
(CSS) malicious code on her/his profile, so each time the connected friends visit or view the
anonymous hackers' profile they will be infected by the stored malicious code.
The most dangerous threats found which led to the entire system disclosure were vulnerable
uploads. The case web application has an upload function that was exposed to malicious file
upload. Attackers can upload a malicious file that will give them a backdoor shell-like telnet
to execute and run codes remotely. Continuous exploitation leads the attacker to find the whole
application directory to retrieve complete web application files. Lastly, the page parameters are
exposed while passing on the URL, which allows an attacker to use the exposed variables and
design a cross-site request forgery with the use of social engineering and trick the system to
lure online users to automatically follow the attacker.
Definitions of Impact and probability of exploitation

Impact of exploitation

Consequences of Explanation
exploitation
Low Even if the attack is successful, the attacker would not have control
over what’s being exploited, modification of the contents is not
also possible. Hence, the attack impact scope may be limited to
only allowing an attacker to access a specific level of only viewing
the system content.
Medium The attack needs some pre-conditions for the attacker to exploit the
whole system because the system is configured with some security
measures. Therefore, a successful attack may allow little
modifications on the specific system contents which may not affect
the entire system.
High There is a total compromise of the whole system, and therefore,
loss in system protections, which leads to full system files and
configuration disclosure. Moreover, an attacker can modify or
control the entire system.

The Probability of Exploitation

Chances of Explanation
Exploitation
Low There is a need for sophisticated tools to bypass systems
restrictions to expose the vulnerability before starting to exploit the
system. So, this vulnerability is very unlikely to occur.
Medium The chance for this kind of vulnerability to occur requires some
preconditions. So, this vulnerability occurs moderately.
High For this vulnerability to be exposed, require only some open
available tools with some little knowledge. So, this weakness is
very common to occur.

2
Vulnerability 1

File Inclusion: Remote File Inclusion

Impact Probability
Medium Medium

Finding

The partners' page (https://vulnapp.com/advert.php?partner=partner1.php) was found

vulnerable to file inclusion attacks. It allows an attacker to execute filesystem commands
remotely from the vulnerable web application’s URL. This vulnerability was exploited using
Linux terminal commands and the URL of the web application; the ‘password’ and ‘group’
files of the ‘etc’ directory of the hosting server were exposed without authorization and it is
illustrated in the figure below.

3
Recommendation

The disabling of the ‘allow_url_fopen’ function of PHP allows a filesystem of the remote
server to be accessed from the URL. A below PHP code can be used to fix and validate the
inputs from the system before execution. Lastly, the use of IPS, IDS, and Web applications
firewall to blacklist execution of unexpected malicious commands from the URL could help to
secure the system from this attack.
<?PHP

if (set($_POST['submit'])) {

require_once '../functions.php';

?>

Vulnerability 2

SQL Injection: String SQL Injection Attack

Impact Probability
High Medium

Finding

The username of admin was exposed as shown below in the second figure when using Burp
Suite. Exploring more on the login page (https://vulnapp.com/login.php) by using these strings:
“1’or’1’=’1” for the login details, the web application log on successfully to an account with
username ‘1’ as shown in the figure below. Additionally, in the second illustration, the leaked
username admin and “1’or’1’=’1” as the password were used to log in as admin. Moreover,
the admin user is a user with full administrative privileges and has a function to change users’
passwords.

4
Recommendation

Among the best ways to protect SQL injection is using a sophisticated web application security
firewall like using Mod security. Mod security can be configured with a set of rules to filter
and block authorize access from a harmful request against a system, by using the below code
in a configuration file (Mischel 2009). The password field should be stored in a database using
a cryptographic hash function like MD5 or SHA-1.
<location /login.php> SecRule ARGS: \’ id:'7000006',deny,status:403 </location>
In more proper way we can use this code below to allow only the expected inputs
<location /login.php> SecRule ARGS: user|pass “!^[-A-Z-a-z-0-9_]+$” “deny” status:403
</location>
Moreover, a complete data sanitization like using validations on the phone number field to only
allow mobile number characters, email address field to only filters emails strings and so on.
PHP developers can also use ‘Mysql_real_escape_string’ code for sanitizing users’ input to
block SQL injections strings like a single quote.

Vulnerability 3

Cross-Site Scripting: Stored XSS attack

Impact Probability
Medium High

Finding

The users’ profiles and blog pages are accessible to Stored Cross-site scripting attacks
(https://vulnapp.com/profile.php and https://vulnapp.com/blog.php).
When logging in as an ordinary privileged user on the profile page, it was able to edit and save
any changes on the user profile with this malicious code and Burp Suite.
‘<script>alert("Hi friend thanks for viewing my profile");</script>’

5
The code injected was buried in profile page as shown in a figure below of the imrana profile,
so it remains persistent within the system.
Another typical user named Fatima logged in and followed imrana on members’ page, when
fatima click on friends’ page and then click on imrana as a friend to view imranas’ profile, a
message pop up for the malicious trap message as shown in the figure below.

Recommendation

Software developers must implement systems that sanitize all user inputs that will be saved to
the system. Most importantly, the inputs that will get stored in the database, or expected OS
commands that can handle malicious execution. Restrictions can be assigned using validation
on each field of the form like PHP server-side validation (see the Appendix B for more details)
Alternatively, Mod security can also be used with the following ruleset to block the script tag
for a form field.
<location /profile.php> SecRule ARGS: <script> id:'3000002',deny,status:403</location>
Vulnerability 4

Authentication Flaws (Weak Password Strength and Forgot Password): Brute Force
Attack
Impact Probability
High Medium

Finding

The sign-up page (https://vulnapp.com/signup.php) username, password, and security question

fields were implemented with no strong inputs validation. This is shown exploited in the first
two figures below in which the system allows a user to create an account with even a single
character. We generated a random password with the range password given for web dojo, and

6
a clue to some known usernames like ‘admin’ and also googled through some data relating to
the type of cheese. Furthermore, the intruder feature of Burp Suite was used to brute force
attack the weekly implemented password of the login page and security question of the forgot
password page with the generated data. Finally, on request ID 693 the response on render
option where a payload 1 is admin and payload 2 is 1337admin shows successful response and
this is an administrative account. In the third figure, the response of the username admin on ID
641 with the security question ‘idontlikecheese’ was also successful as shown in the last figure
below.

7
Recommendation

It is highly recommended that form fields most importantly password should have a validation
declared: the input size, combinations of small and capital letters, special characters, and
numbers to prevent the system firmly from brute force attack. Most, especially for the accounts
with the full administrative right; also hide usernames and avoid exposing them on the users’
profile details for other users to view. Moreover, it is recommended that a security question
should be implemented for a user to choose the type of question as an option, to hide the identity
of being specific. The PHP code in Appendix A can be used to enforce users to generate a
strong password for their accounts (Miller 2014).

8
Vulnerability 5

Injection Flaws: Adding data with SQL Injection

Impact Probability
Low Medium

Finding

The username and password form fields of the login page (https://vulnapp.com/login.php) were
found vulnerable to SQL injection attacks. As shown in the figure below, when the user Chuck
login with a password chuck'or'b'='b, and then follow another member imranayari makes the
system store user Chuck in the user’s (imranayari) friends list. The second figure illustrates the
other bogus users that were created using the same method and followed the user imranayari.
In the last illustration, those bogus users created were added as part of imranayari’s friends
page and not members’ page: this shows that the attacker successfully assigns bogus users to
be followed automatically by the legitimate users without their consents.

9
Recommendation

To avoid this attack quickly, validation techniques could be leveraged to filter out SQL
statement characters within the query like semicolon (;), single quote (‘), double dash (- -), and
whitelist all the correct characters to be filtered for each type of field. Moreover, a
parameterized query could be leveraged to parse the users’ input and application data sent
separately to the SQL server as shown in the below code:
Instead of using:
SELECT user, pass FROM members Where user_id= $level
We use:
SELECT user, pass FROM members Where user_id=?

10
Vulnerability 6

Failure to Restrict URL Access: Path Traversal Attack

Impact Probability
Low High

Finding

Through the web application URL, it was able to gain access to the resources that were not
referenced and browsed through the robots.txt file, upload, and dev directories and viewed their
contents. The log2 file in the tmp directory exposes log information, while the test code in the
dev directory exposes the database structure for a table named member and its columns: user,
pass, and answer.

Recommendation

The easiest way to protect web application path and files is on Apache is using ‘.htacces’ file.
Firstly, browse to Apache configuration file in a directory, etc./HTTP/config, search for the
.htaccess and alter its setting to AllowOverideAll to control what directory may be placed in
the .htacess file. Another level of protection can be achieved through creating a file called
.htaccess in an HTML/www directory and put the below code to protect the files and directory
listing attacks:
Option -Indexes
The system should be implemented with a user role policy for accessing files or directories
within the system, and it should make sure the user is authenticated and authorized before
accessing a system resource.

11
Vulnerability 7

Broken Authentication and Session Management Flaws: Spoof an Authentication Cookie

Impact Probability
Medium Medium

Finding

It was discovered that each time a user login into the system, the PHP session ID is given to
her/him is reusable before the next login. The figure below showed a successful log-in with a
particular account and the cookies were saved by interception the request using Burp Suite for
user Fatima. The same saved session ID on Burp Suite was used to request a page on the system
without providing any login tokens, and the system login successfully as shown in the below
figure. It was also possible to view directly some system functionalities, like messages. This
flaw occurs due to no logout mechanism is implemented to unset the session variable and
thread-safety concurrency.

When exploited, an attacker can easily store a malicious code with the exposed cookie using a
script below:
<script type="text/javascript">alert(document.cooke);</script>
Recommendation

The session ID should be implemented with great complexity, randomness and concatenated
with the user ID from the database. The logout mechanism should be able to make that session
ID inactive and regenerate a new one randomly to the user on the next login. Restriction of
XSS attack on the form fields just likes it is being mostly used to take user session cookies
without system authorization (Owasp 2013).

12
Vulnerability 8

Concurrency: Thread Safety Problem

Impact Probability
High Medium

Finding

It was discovered that opening multiple chrome browsers (e.g., 1,2) and try logging in to the
web applications from browser 1 and 2, when a user X logs in via browser 1 and another Y
quickly log in via browser 2, for both browser 1 and 2 the system successfully logs on the user
Y that logs on the system. Even though the usernames are entirely different as shown in the
figure below, the session ID for user 1 is being hijacked by the most recent user on browser 2
instead of the new session ID is given for the new user to differentiate the users or restrict the
new user from accessing or sharing the same session. These concurrency bugs occur when
loading the same page that the other user is being used at the same time.

13
Recommendation

Inspection of the global and static variables in the web application code could mitigate this
issue. Furthermore, making the session variable non-concurring, random, complex, and
concatenate code session ID with database ID could address the issue. Also, making the system
thread-safe by modifying objects to keep a valid state when to utilize concurrently by multiple
threads (Insomniasec 2011).

Vulnerability 9

Access Control Flaws: Remote Admin access and Access Control Matrix
Impact Probability
High Medium

Finding

It was discovered that a user can tamper with the URL GET view. This could be achieved by
adding variables to the URL using the expose username parameter and value of the user you
want to see her-his profile or follow non-existing friends to add them to the system, as shown
in the figures below.
The administrator user is the only user with abilities to access the admin.php file, which is a
PHP file used for changing the users’ passwords. A regular user imrana was able to browse the
https://vulnapp.com/admin.php file on the URL and altered the admin password with the leaked
username of the administrator as shown below figure. The below PHP session ID is indicating
that we were moving within the system from one page to another with the same ID of imrana
to access the admin page.

14
Recommendation

Web application developers should avoid parsing sensitive or form parameters using the GET
method as the values are readily exposed to users. Also, using complex, random, and constant
changes of session variables for navigating through different pages on the application could fix
this issue. The session variable should only hold possession of the users’ roles, files, and data.
Also, securing sensitive data in a directory using .htaccess to disable other users from accessing
the directory could be leveraged to mitigate this kind of attack.

Vulnerability 10

Unrestricted File Upload: PHP Reverse Shell and Malicious Execution

Impact Probability
High Low

Finding

Another page (https://vulnapp.com/profile.php) was found vulnerable to malicious file upload.

Burp Suite was used to change the extension of the malicious file from JPEG to PHP file and
then forwarded the file to the system. The file was saved successfully to the system uploads
folder as shown in the figure below. Formerly, the malicious file had an extension of .php and
was to change .jpeg to bypass the client-side field restriction. The PHP file is a Reverse Shell

15
source code that allows an attacker to access the shell of the server remotely (Moon 2015). We
added IP address 192.168.1.40 and port number 40 for the third VMware machine network to
access the shell, using the PHP file as shown below. Then, the third device was added to the
vmnet5 network with 192.168.1.40, and then we used a Net-cat command ‘nc -vlp 40’ to read
and write a TCP connection from 192.168.1.100 machine while running a malicious file from
the Dojo machine as shown below. Continuous exploiting allows the attacker to browse the
www directory that stores locally hosted Apache web applications and exposes its contents as
shown in the figure below. The second figure illustrates the malicious code we developed and
used the exposed database table details from test code in the dev directory, and it was
successfully uploaded and executed.

16
17
Recommendation

Blocking all non-allowable extensions and whitelist the allowable types will mitigate this kind
of attack. Also, using a server-side validation to block non-allowable extensions to protect
against evasion procedure to change the file type while data is traversing through the system is
another security measure that could be leveraged to block the attack. Moreover, a PHP server-
side validation can be used to block non-allowed extensions with a restriction of maximum and
minimum size of the allowed file type and include validation codes for changing of filename
and types. Moreover, using .htaccess to block the directory for storing uploaded files and use
an Antivirus to scan the files before submitting them to the database is another paramount
solution (see Appendix C for the file upload validation). Additionally, using a basic firewall
rule to block all outbound traffic initiated on port 443 can add another layer of protection.

Vulnerability 11

Using Reverse Shell Vulnerability: Accessing SQL Server

Impact Probability
High Low

Finding

Using Reverse Shell as a component with the known vulnerability allows the system to expose
its MySQL database connection details such as the database user, database name, and database
password as shown in the figure below. The exposed database name ‘webapp’ password
‘privacyisacriticalhumanright’ and the ‘root’ user was used to connect to the database as
indicated below on the reverse shell of Kali machine which has an IP address of 192.168.1.40.
Further, it was also used to update, select, use, drop, delete, and show SQL commands, the
figure below indicated how we exploited and propagated through the system database. We also
discovered that the passwords are stored in plain text.

18
Recommendation

This attack was based on an existing vulnerability that is a backdoor through vulnerable upload,
this expressed that ‘htaccess’ can be used to block unauthorized access to web directories and
files, and as well as limit access locally on GET, PUT, and POST methods, as shown on below
code:
“deny from all

allow from localhost

allow from 127.0.0.1 “

Additionally, using PHP server-side validation to restrict malicious file upload is another
important security layer to mitigate the attack. On the other hand, if the SQL server is accessible
directly, then it is important to use Firewall and IPsec and block access to the SQL server port.
Moreover, browsing through SQL server configuration if it in Linux, uncomment # the bind-
address line and add 127.0.0.1 to access the SQL server only locally. Lastly, use encryption
hashes like SHA-1 to encrypt the password characters.
Vulnerability 12

Cross Site Request Forgery: Adding Bogus followers

Impact Probability
Medium Low

Finding

We discovered that the GET method is used on the members' page

(https://vulnapp.com/members.php) for adding or dropping members from a friend list. The
GET method exposes its parameters via URL when submitting the form as shown below. We
developed an HTML file with two forms having actions:
https://vulnapp.com/members.php?add=imrana
https://vulnapp.com/members.php?add=imrana
The site was hosted in the www directory of web security dojo machine. We created a directory
in the www directory and named it HTML and then moved our malicious HTML file to this
new HTML directory. With the exposed parameters for adding and dropping a friend, we
developed two forms in this malicious HTML file so that each time the first form is submitted,
the system will automatically populate the followers of the currently active user as shown in
the figures below.

19
Recommendation

To mitigate the attack, disclose URL access variables and functions that are using the GET
method because GET method tokens can be found on HTTP log files. Moreover, the
application can be developed with a POST method and modify the server-side configuration to
only accept a request for the GET method. CSRF attacks are mostly using social engineering
to convince users to click a malicious link, therefore, users should be trained to avoid clicking
and accepting untrusty requests and if possible, disable JavaScript in the browser (Owasp
2015b).

20
Section 2: Vulnerability Investigation

Injection

An injection is a procedure for the insertion of SQL, LDAP, OS, or HTML-related commands
concatenated with an actual query from the clients’ side input parameter or cookie fields or
server variables to exploit the web application database layer (Hdiv 2015). Exploiting a system
using injections can allow an attacker to infiltrate and possibly query data from the victim
system (Owasp 2015a). It is stated that SQL injection attacks occur not only on Web
applications but also in Web protocols like HTTP (Scambray, Liu et al. 2011).
Explanations of SQL Injection Mechanisms

The web server forwards and receives data from users, OS, and DB. The SQL injection attacks
run from the client inputs parameter to affect the backend database. The code is a particular
script integrated into the actual query language that runs on the backend when executed. One
of the procedures to test the SQL vulnerability for a form field is to submit a single quotation
mark (‘) where the input parameter ends, or in an empty field to the system, to see if the system
returns a database error. The error message gives a clue if any code, database, or form field
might be vulnerable to an SQL injection attack. The error message denotes the usual SQL
injection type, while the blind type of SQL injection is the one that doesn’t return SQL error
message and that makes it more complicated to detect. A single quote is a delimiter in MySQL
language that is used to declare the end and beginning of string values (Scambray, Liu et al.
2011). Moreover, any unexpected characters can also be used to observe the outputs and
determine the system flaw.

Another attack in SQL injection is using OR between a string characters with a single quote
between unique characters like 1’OR’1’=’1 in a form field; this code alters how WHERE
conditional statement is executed. The OR logic tricks the query by always holding a true value
for AND statements. The OR logic and equal sign = are always true among the same or unique
characters like A=A and A OR A=A. Moreover, some SQL Server supports the batch statement
that allows execution of commands from the input parameter (w3schools 2016). Like,
Microsoft SQL Server 2000 allows multiple statements to be separated by a semi-colon ‘;’
which exposes to attack for executing arbitrary commands against the database. (Owasp 2014).
Moreover, double hyphens/comment operator “ -- “is used to escape the remaining input strings
of a parameter value given, all other characters after the given value range will be ignored
(Javanicus 2014). Lastly, the UNION and subquery SQL statements are also vulnerable to SQL
Injection Attacks.
Examples

Assuming a script and its SQL codes that are executed from a client to a server for querying
certain data from the database with a valid user identification would look like this:
https://vulnapp.com/login.php?user=imrana&pass=10839

21
SELECT * FROM members WHERE user=’admin’ AND pass=’1337admin’
When the above SQL statement is executed, it would let a user get indirect access to the system
database, and log in to the system.

If this below statement is executed to the database, the database will treat the pass field column
of the database as 10839 OR 1 = 1, and since 1 is always equals 1; hence a user logs in the
system successfully, when the user/other parts of AND is true.
https://vulnapp.com/login.php?user=imrana&pass=1’or’1’=’1
SELECT * FROM members WHERE user=’admin’ AND pass=’1’or’1’=’1’

If this statement below is executed, the output will escape the remaining strings for the user
and log on to the system.
SELECT * FROM members WHERE user=’im--’ AND pass=’1’or’1’=’1’
Lastly, an instance of batch execution is below:
SELECT * FROM members; DROP TABLE friends
Finally, the command injection attack can be done using the ‘&’ to concatenate and execute
multiple commands on a Linux terminal. A command injection type may be a Local File
Inclusion (LFI) or Remote File Inclusion (RFI). An example is shown below:

Protection

A simple way to mitigate the SQL injection attack is to identify the codebase that relates to the
SQL commands, and then, forward such users’ input parameters like UPDATE, INSERT,

22
DELETE, DROP, OR, AND to the system to inspect unexpected data like a single quote if
concatenated with the SQL statement (Stuttard, Pinto 2011).
High-level fix: Constrain User Input

Using a Server-side validation like PHP, with a well-structured regular expression. The below
code is a PHP validation of phone and email fields to escape all other characters apart from
declared ranges.
“ $var = '/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/';
if (preg_match($var, $var_email)) {
echo $var_email = " your email is accepted.";
} else {
echo $var_email "Your email is not accepted.";
} “ (Gavin 2012).

if(!preg_match("^\\+[0-9]{2,3}+-[0-9]{10}, $_POST['contact'])) {
echo $message = "Wrong mobile number for contact ";

Configuration fix: Intrusion Detection Rule (IDS) rule

A Web Application IDS Appliances can be set for real-time investigations, monitoring, and
evaluating data in and out from the server. The form fields and cookies are used for the attack
mostly. The rule set to whitelist legitimate signatures inspects traffic between the application,
system database, and reporting of SQL errors (Pilorz 2008). The below regular expression can
be set in Snort Rules for detection of a single quote and double-hyphen (- -) in a cookie and
form fields using PHP (Mookhey, Burghate 2010).
“ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection -
Paranoid"; flow:to_server,established;uricontent:".php";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
classtype:WebapplicationExploit; sid:10467; rev:8;) “

References

GAVIN, 2012. Email validation using regular expression in PHP.

HDIV, 19, 10, 2015, 2015-last update, SQL Injection (OWASP Top 10 - A1 Injection).
Available: http://www.hdiv.org/sqlinjection.php.

INSOMNIASEC, 2011-last update, CONCURRENCY VULNERABILITIES. Available:

https://www.owasp.org/images/8/8e/OWASP_NZDay_2011_BrettMoore_ConcurrencyVulne
rabilities.pdf.

JAVANICUS, Z., 2014-04-03, 2014-last update, Login Bypass Using SQL Injection.
Available: http://www.securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-
sql-injection.html.

MILLER, M., 2014. PHP password validation.

23
MISCHEL, M., 2009-last update, ModSecurity 2.5 securing your Apache installation and
web applications : prevent web application hacking with this easy-to-use guide [Homepage of
Packt Pub.], [Online].

MOOKHEY, K.K. and BURGHATE, N., 2010. SQL Injection and Cross-site Scripting
Attacks Created. http://www.symantec.com/connect/articles/detection-sql-injection-and-
cross-site-scripting-attacks#ref6 edn.

MOON, S., 10, 15, 2015, 2015-last update, Php reverse shell script from pentestmonkey.net.
Available: https://gist.github.com/silv3rm00n/5371322.

OWASP, 21 August 2015, 2015a-last update. Available:

https://www.owasp.org/index.php/Top_10_2013-Top_10.

OWASP, 12/8/2015, 2015b-last update, Cross-Site Request Forgery (CSRF) Prevention

Cheat Sheet. Available: https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet.

OWASP, 08/14/2014, 2014-last update, SQL Injection. Available:

https://www.owasp.org/index.php/SQL_Injection.

OWASP, 2013. Top 10 2013-A2-Broken Authentication and Session Management.

https://www.owasp.org/index.php/Top_10_2013-A2-
Broken_Authentication_and_Session_Management edn.

PILORZ, Ł, 2008. Intrusion detection for web applications.

https://www.owasp.org/images/3/3c/OWASP_WebIDS_pub.pdf edn.

SCAMBRAY, J., LIU, V. and SIMA, C., 2011. Hacking exposed web applications : web
application security secrets and solutions. 3rd ed.. edn. New York ; London: McGraw-Hill.

STUTTARD, D. and PINTO, M., 2011. The Web application hacker's handbook : finding
and exploiting security flaws. 2nd ed.. edn. Indianapolis, Ind.: Wiley.

W3SCHOOLS, 2016-last update, SQL Injection. Available:

http://www.w3schools.com/sql/sql_injection.asp.

Appendix

Appendix A: PHP validations code

“if (strlen($_POST["pass"]) <= '8') {
$passwordErr = "the Password Must Contain at Least 11 Characters!";
}
elseif(!preg_match("#[0-9]+#",$pass)) {
$passwordErr = "the Password Must Contain at Least 2 Numbers!";
}
elseif(!preg_match("#[A-Z]+#",$pass)) {
$passwordErr = "the Password Must Contain at Least 2 Capital
Letter!";
}

24
 elseif(!preg_match("#[a-z]+#",$pass)) {
$passwordErr = "Your Password Must Contain at Least 2 Lowercase
Letter!";
}
}”

Appendix B: JavaScript and PHP validations

PHP: ‘preg_match("/^0[7-9]0[0-9]{8}[a-z][A-Z].,/", $_POST['contact']))’

JavaScript: ‘validate[required,custom[integer][string],maxSize[200],minSize[10]] text-input’

Appendix C: PHP validation for file upload field.

‘ $filename = basename($_FILES['uploaded_file']['name']); $ext = substr($filename,

strrpos($filename, '.') + 1);
if (($ext != "exe") && (($ext != "PHP") (($ext != "jsp") ($_FILES["uploaded_file"]["type"]
!= "application/x-msdownload")) {
$errmsg_arr[] = 'Error: All file types except .exe .php .jsp files below 5 mb are not
accepted for upload'; } ‘

25

View publication stats