The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Transcription

1 This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out in this report are no longer relevant. The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

2 Sahrat Arabia Penetration Testing Report Date: 28-Oct-XXXX Version: 1.0 Classification: Confidential 2

3 Document Details Document Title Vulnerability Assessment and Penetration Testing Report Document version V1.0 Created by Creation date October 28 th, 20XX Type PDF Creation date October 28 th, 20XX Document Type Confidential Revision History Version Date Author Change Description Classification: Confidential 3

4 1. Introduction The document hereby describes the proceedings and results of Vulnerability Assessment and Penetration testing conducted for their Sahrat Arabia Web Applications by the activity was performed from 27 th October 20XX to as a part of a risk management exercise. The scope of the activity covered the Vulnerability Assessment and Penetration testing of its web application.. 2. Scope of Work The scope of work was limited to the External Penetration Testing for Sahrat Arabia web applications. This assessment would prioritize the discovered risks, based on the impact and also generate a detailed report of the exercise with possible recommendations, which shall guide the organization into selecting a cost effective method to mitigate the identified risks. SQL injection. Data Input Validation. Open redirection vectors. Authentication vulnerabilities like weak passwords, username enumeration, and logic flaws. Defects in session handling, such as predictable tokens, unsafe transmission of tokens, session Fixation and liberal cookie scope. Broken access controls, leading to horizontal and vertical privilege escalation. Local privacy vulnerabilities, resulting in sensitive data being stored in cookies, the browser cache and the auto complete store. Classic vulnerabilities in native code components, such as buffer overflows, integer arithmetic flaws, and format string bugs Classification: Confidential 4

5 3. Execution Methodology The entire test is conducted from internet. At the end of the security testing, Penetration testers identifies the possible security threats and documents them, to be submitted as a final report. The Assessment was done from HackerLocked Penetration Testing Lab network, using various tools and techniques. The tests were conducted for the following website: The various steps followed as part of attack and penetration has been given below: Web Application and Web Server Information Gathering Web Application Vulnerability Scanning Exploiting Vulnerabilities 4. Our Approach In order to assess the security of the target systems Hackers Locked followed a unique Penetration testing methodology based on the Open Source Security Testing Methodology Manual (OSSTMM), NIST Standards as well as Open Web Application Security Project (OWASP). Classification: Confidential 5

6 Following is the methodology that we followed for the testing: A brief description on each of the approach steps is given below: Analyzing the application and deciding which areas need testing Hacking the areas where the vulnerability is expected Documentation of the found vulnerabilities Discussions of the possible causes Discussions on the possible remediation Classification: Confidential 6

7 5. Summary of the Results To prioritize the vulnerabilities and the risk factors we have categorized the findings as High, Medium and Low or Informational based on the severity. The factors such as impact, popularity and simplicity of the attacks are considered in determining the severity of the vulnerabilities as given below RATING LEVEL OF SEVERITY HIGH High risk vulnerability can be exploited by an attacker to gain full administrator/root access to the application or its underlying operating system. MEDIUM LOW Medium risk vulnerability reveals information about the application and its underlying infrastructure that can be used by an attacker in conjunction with another vulnerability to gain administrative control of the application or its underlying operating system. Low risk vulnerability can result in enumeration of vital Information held by or about the Application or its underlying operating system. INFORMATIONAL Information risk Vulnerability can result to lead further attacks. That allows attackers to collect sensitive information about the applications (open ports, services, database, version of software installed etc.) Classification: Confidential 7

8 6. Detailed Report We have identified lots of vulnerabilities for Sharat Arabia application website 6.1 Information Gathering and Foot Printing: Test Performed Severity Findings Information Gathering and Foot Printing Informational It was observed that the target host belongs to Sahrat Arabia domain and it is registered with a hosting Provider. The contact details are available publicly giving a slight opportunity for the attackers to misuse the information available on the Internet. Recommendation It is recommended to confirm that the records are up to date and request the service provider to hide the details. Figure 1: Snapshot below indicates that the target host registered to which Site Hosting Provider Classification: Confidential 8

9 Operating System and Service Identification Classification: Confidential 9

10 The Operating system/services were identified based on the crafted packets sent to the server and received the approximate results. We have taken all possible measures to avoid false positives although it is not possible to eliminate them fully. S. No IP Address Operating System / Application Open and Exposed Services Linux 2.6 Operating System Web service, service, FTP 6.2 Port Scanning Test Performed Severity Port Scanning Low Classification: Confidential 10

11 Findings With customized scripts and tools like Nmap it is possible to retrieve Port Information of a target host using Port Scanning Method. Recommendation It is recommended to block unused service Ports. Figure 2: Snapshot below indicates the Ports which are Listening in sahrat arabia webserver. 6.3 Privilege Escalation Classification: Confidential 11

12 This phase describes about escalating the privileges using the open ports and services found on the target systems. Nessus, Paros Proxy, Nikto, Brutus, Burp Suite, Core Impact and manual techniques were used to check for the vulnerabilities on the systems. The detailed observations and techniques are provided below Test Performed Severity Findings Recommendation URL manipulation attacks High Entered URL in a web browser. And able to login to administrator webpage without userid and password. Which makes an attacker can again system level privileges to control the host. It is recommended to put necessary access controls in website. And enable highest level of security to safeguard user account details. Figure 3: Snapshot below indicates the admin webpage of sahrat arabia webserver. Classification: Confidential 12

13 Figure 4: Snapshot below indicates the attacker authenticated admin webpage of sahrat arabia webserver. Classification: Confidential 13

14 Figure 5: Snapshot below indicates the attacker created an admin account (hackerslocked) Classification: Confidential 14

15 Figure 6: Snapshot below indicates the attacker can retrieve all the user accounts Classification: Confidential 15

16 6.3.2 Test Performed Cross Site Scripting Classification: Confidential 16

17 Severity Findings Recommendation High Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Filter metacharacters from user input. Figure 7: Snapshot below indicates the attacker can inject malicious code in to a vulnerable application The GET variable albumid has been set to --><ScRiPt%20%0a%0d>alert( )%3B</ScRiPt> and Get Variable country has been set to <ScRiPt%20%0a%0d>alert( )%3B</ScRiPt>. Classification: Confidential 17

18 Classification: Confidential 18

19 Figure 8: Snapshot below indicates the attacker can inject malicious code in to a vulnerable application Classification: Confidential 19

20 The GET variable country has been set to <iframe/+/onload=alert( )></iframe>. Figure 8: Snapshot below indicates the attacker can inject malicious code in to a vulnerable application. The GET variable country has been set. Classification: Confidential 20

21 6.3.3 Test Performed Severity SQL Injection High Classification: Confidential 21

22 Findings Recommendation An unauthenticated attacker may execute arbitrary SQL/XPath statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Filter metacharacters from user input. Figure 9: Snapshot below indicates the attacker can inject the system database and retrieve Mysql Error Message. Classification: Confidential 22

23 6.3.4 Test Performed Failure to Restrict URL Access Classification: Confidential 23

24 Severity Findings Recommendation Medium PHPinfo page has been found on this directory. The PHPinfo page outputs a large amount of information about the current state of PHP. This file may expose sensitive information that may help an malicious user to prepare more advanced attacks. Remove the file from production systems. URL: We found <title>phpinfo()</title> - END OF THE REPORT - Classification: Confidential 24