Web Application Security Report

testphp.vulnweb.com

Date: octo 29th, 2024

Submitted by :Aiswarya.D

Page 1 of 29
 Table of Contents
Table of Contents.........................................................................................................................................................2
Confidentiality Statement............................................................................................................................................4
Disclaimer ...................................................................................................................................................................4
Contact Information ....................................................................................................................................................4
Assessment Overview .................................................................................................................................................5
Assessment Components.............................................................................................................................................5
external Penetration Test ................................................................................................................................. 5
Finding Severity Ratings .............................................................................................................................................6
Risk Factors ................................................................................................................................................................6
Scope...........................................................................................................................................................................7
Scope Exclusions ..................................................................................................................................... 7
Executive Summary ....................................................................................................................................................8
Risk distribution……………………………………………………………………………………………………………9
Vulnerability Summary & Report Card..................................................................................................................... 11
External Penetration Test Findings ........................................................................................................ 11
Technical Findings .................................................................................................................................................... 13
External Penetration Test Findings ........................................................................................................ 13
Finding IPT-001: Insecure connection (Medium) ................................................................................................13
Finding IPT-002: : Sensitive Information Disclosure (Critical) .......................................................................... 14
Finding IPT-003: : Sensitive Information Disclosure (High) .............................................................................. 15
Finding IPT-004: : Sensitive Information Disclosure (High) ..............................................................................16
Finding IPT-005: Reflected Cross-site scripting in search bar (Critical)............................................................... 17
Finding IPT-006: Obtained Login credentials (High)..........................................................................................18
Finding IPT-007: SQL injection (Critical)..........................................................................................................19
Finding IPT-008: SQL injection (Critical) .........................................................................................................20
Finding IPT-009: : PHP used is an out-dated version (Critical) ..........................................................................21
Finding IPT-010: : SSRF(Server-side Request Forgery) (High)..........................................................................22
Finding IPT-011: : Local File Inclusion(LFI) (High) ........................................................................................23
Finding IPT-012: Weak Password Policy (High)................................................................................................24
 Confidentiality Statement
This document is the exclusive property of VulnWeb and Aiswarya D This document contains proprietary
and confidential information. Duplication, redistribution, or use, in whole or in part, in any form, requires
consent of both parties. I may share this document with auditors under non-disclosure agreements to
demonstrate penetration test requirement compliance.
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the
information gathered during the assessment and not any changes or modifications made outside of that
period. Time-limited engagements do not allow for a full evaluation of all security controls. I prioritized
the assessment to identify the weakest security controls an attacker would exploit. I recommend
conducting similar assessments on an annual basis by internal or third-party assessors to ensure the
continued success of the controls..

Contact Information
Name Title Contact Information
Demo Corp
Global Information Security
John Smith Email: jsmith@democorp.com
Manager
TCM Security
Heath Adams Lead Penetration Tester Email: heath@tcm-sec.com

Page 3 of 29
Assessment Overview
From october 28th, 2024 to october 29th, 2024, Vulnweb engaged my company to evaluate the security
posture of its infrastructure compared to current industry best practices that included an external
penetration test. All testing performed is based on the NIST SP 800-115 Technical Guide to Information
Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing frameworks
Phases of penetration testing activities include the following:
 Planning – Customer goals are gathered and rules of engagement obtained.
 Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak
areas, and exploits.
 Attack – Confirm potential vulnerabilities through exploitation and perform additional
discovery upon new access.
 Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
strengths and weaknesses.

Assessment Components
External Penetration Test

An external penetration test emulates the role of an attacker attempting to gain access to an internal
network without internal resources or inside knowledge. I attempted to gather sensitive information
through open-source intelligence (OSINT), including employee information, historical breached
passwords, and more that can be leveraged against external systems to gain internal network access. I
also performed scanning and enumeration to identify potential vulnerabilities in hopes of exploitation.

Page 4 of 29
Finding Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that are used
throughout the document to assess vulnerability and risk impact.

CVSS V3
Severity Definition
Score Range
Exploitation is straightforward and usually results in system-level
Critical 9.0-10.0 compromise. It is advised to form a plan of action and patch immediately.

Exploitation is more difficult but could cause elevated privileges and

High 7.0-8.9 potentially a loss of data or downtime. It is advised to form a plan of
action and patch as soon as possible.

Vulnerabilities exist but are not exploitable or require extra steps such as
Moderate 4.0-6.9 social engineering. It is advised to form a plan of action and patch after
high-priority issues have been resolved.

Vulnerabilities are non-exploitable but would reduce an organization’s

Low 0.1-3.9 attack surface. It is advised to form a plan of action and patch during the
next maintenance window.

No vulnerability exists. Additional information is provided regarding items

Informational N/A noticed during testing, strong controls, and additional documentation.

Risk Factors
Risk is measured by two factors: business and technical.

Page 5 of 29
Scope
Assessment Details

External penetration test http://testphp.vulnweb.com/

Page 6 of 29
Risk Distribution

Page 7 of 29
Page 8 of 29
Vulnerability Summary & Report Card
The following tables illustrate the vulnerabilities found by impact and recommended remediations:
Internal Penetration Test Findings

5 6 1 0 0

Critical High Moderate Low Informational

Finding Severity Recommendation

External Penetration Test
EPT-001: Insecure connection medium Changethewebpageto“https”from”http”.

EPT-002: Sensitive Information Critical Remove the user credentials.

Disclosure
High Remove the web page contents
EPT-003: Sensitive Information
Disclosure

EPT-004: Sensitive Information High Implement access controls

Disclosure
EPT-005: Reflected Cross-site scripting in Critical Input Validation and Filtering.
search bar
EPT-006: Obtained Login credentials High Remove the webpage or the contents.

EPT-007: SQL injection Critical : Implement input validation and

parameterized queries including prepared
statements

Critical Useprepared statements,encrypt data

EPT-008: SQL injection

EPT-009: PHP used is an out-dated Critical Upgrading to a supported version of

version PHP
EPT-010: SSRF(Server-side Request High Avoid direct file paths in requests.
Forgery)
EPT-011: Local File Inclusion(LFI) High Only permit file requests from a predefined
list of allowable files.
High Implementaccesscontrols.
EPT-012: Weak Password Policy

Page 9 of 29
Technical Findings
Exnternal Penetration Test Findings
Finding EPT-001: Insecure connection (Medium)
Description: If a website uses “http” instead of “https”, all requests an responses can be read by
anyone who is monitoring the session. “http” messages are plaintext, which means
unauthorized parties can easily access and read them over the internet. In contrast,
“https” transmits all data in encrypted form.
System: http://testphp.vulnweb.com/

Tools Used: Web browser

References: https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_
Reference_Prevention_Cheat_Sheet.html

Proof of concept

Page 10 of 29
 Mitigations
Change the webpage to “https”.
1. Obtain an SSL Certificate: Purchase one from your hosting provider or a trusted CA.
2. Install and Configure SSL: Follow your hosting provider's instructions for SSL installation on your web server.
3. Enable HTTPS Redirection: Configure your server to redirect all HTTP traffic to HTTPS.
4. Update Internal Links: Modify all internal links within your website code to use HTTPS URLs.

Technical Impact
1.Data Interception: HTTP sends data in plaintext, and therefore, it is simple for attackers to intercept login
credentials, personal data, or payment details.

2. MITM Attacks: where attackers can modify the message in transit, inject viruses, or redirect a legitimate user to a
phishing webpage.

Business Impact
Loss of Customer Trust: Users want to have safe connections; thus, the absence of HTTPS will bring a reputation loss
to the company regarding whether the website is genuine or secure.

Page 11 of 29
 Finding EPT-002: Sensitive Information Disclosure(Critical)
Description: The login credentials are visible to other users with username=”test”
password=”test”. It is visible to everyone who visits the signup page.

System: http://testphp.vulnweb.com/login.php

Tools Used: Web browser

References: https://knowledge-
base.secureflag.com/vulnerabilities/sensitive_information_exposure/sensitive_infor
mation_disclosure_vulnerability.html#:~:text=Sensitive%20Information%20Disclos
ure%20(also%20known,to%20have%20access%20to%20it.

Proof of concept

Mitigations

Page 12 of 29
 Remove the user credentials Ask the user to reset the password

Technical Risks
Increased Attack Surface: Visible credentials make a system vulnerable to brute force, credential stuffing, among
others, thus increasing chances of unauthorized access and eventual compromise.

Data Breach Potential: If attackers get these credentials to access sensitive data for users, it becomes an opportunity
for data breach against data protection regulations besides leaking customer information.

Business risks:

Published login credentials, such as "test/test," would make the organization appear irresponsible toward the security of
users' credentials and damage the brand by losing customer trust.

Financial Loss: When attackers abuse the credentials to exploit the system resources or conduct unauthorized
transactions, the organization will suffer financial losses.

Page 13 of 29
 Finding EPT-003: Sensitive Information Disclosure(High)
Description:
The contents of the admin directory are visible. This file contains sensitive
information about the org.
System: http://testphp.vulnweb.com/admin

Tools Used: Web browser

References: https://knowledge-
base.secureflag.com/vulnerabilities/sensitive_information_exposure/sensitive_inf
ormation_disclosure_vulnerability.html#:~:text=Sensitive%20Information%20Di
sclosure%20(also%20known,to%20have%20access%20to%20it.

Proof of concept

Mitigations
- Hide Sensitive contents from this web page. Implement access controls.

Technical risk

Unauthorized Access to Sensitive Data: The sensitive files present in the admin directory can expose proprietary
information, system configurations, and even credentials that the attackers may use for unauthorized access or other
malicious purposes.

The threat of malware injection or ransomware: If hackers can identify exploitable admin files or settings, they might
inject malicious code or start a ransomware attack

Business risk

Damage to Reputation and Trust of Brand : Unauthorized access to sensitive information may damage the reputation of
the organization, hence resulting in loss of trust by the customers, partners, and even investors

Page 14 of 29
 Finding EPT-004: Sensitive Information Disclosure(High)
Description: The contents of the CVS directory are visible. This file contains log history and other
sensitive information about the org..
System: http://testphp.vulnweb.com/CVS

Tools Used: Web browser

References: https://www.ibm.com/docs/en/snips/4.6.0?topic=categories-
information-disclosure-attacks

Proof of concept

Figure 5: Impersonation of “sup”

Mitigations
Hide Sensitive contents from this web page. Implement access controls

Technical risks

Information Disclosure: o Sensitive files can contain critical information like configuration details, database
credentials, source code, API keys, and encryption keys, leading to significant security risks.

Business risk

Sensitive file disclosure can lead to customer trust issues if attackers use the information to breach the application or
expose confidential data, causing reputational damage to the business.

Page 15 of 29
Finding EPT-005: Reflected Cross-site scripting in search bar(Critical)
Description: An attacker could inject malicious code into the search bar description.
When another user sees that description and clicks the link, the attacker's
code could run in the victim's browser. This code could steal the user's login
information, redirect them to malicious sites, or disrupt the website itself.
The command “<img src=s onerror=alert(1)>” was used.

System: http://testphp.vulnweb.com/

Tools Used: Web browser

References: https://portswigger.net/web-security/cross-site-scripting/reflected

Proof of concept

Page 16 of 29
Mitigations

Input Validation and Filtering: Examine all user-supplied data upon receiving it. Output Encoding: Before displaying
any user controlled data, encode it appropriately based on the context (HTML, URL, JavaScript, etc…) Web
Application Firewall: It can provide an additional layer of security. It can be configured to block malicious requests
containing potential XSS payloads

Technical risks

Malicious Redirection and Phishing: Attackers can use XSS for redirecting the users to malicious sites; thus, the
platform turns into a phishing tool to capture sensitive information from innocent users.

Business risk

Loss of customer trust-When the malicious behavior involves phishing pop-ups or even redirects to websites that aren't
trusted, the site's security is not trusted any more by customers, reducing customer loyalty and retention

Page 17 of 29
 Finding EPT-006: Obtained Login credentials (High)
Description: It was possible to find the login credentials of a user from
http://testphp.vulnweb.com/pictures/credentials.txt . This user credentials can be
later used to login to any webpages associated with it..
System: http://testphp.vulnweb.com/pictures/credentials.txt

Tools Used: Web browser

References: https://www.sciencedirect.com/topics/computer-science/login-credential

Proof of concept

Figure 8: Successfully relayed LDAP credentials via mitm6

Mitigations
Remove the webpage or the contents

.
Technical risks
With valid credentials, the attackers will be able to download sensitive data, modify the system settings, and might
even leave behind some backdoors for the system. This eventually results in compromising the integrity and
availability of the system.

Business risk

Loss of trust:Once user credentials are exposed, users feel that the website platform is not safe; therefore it reduces
customer trust in using it.
Loss of funds : Once a malicious attacker steals users' credential and applies for frauds or unlicensed access the
organization would have lost cash

Page 18 of 29
Finding EPT-007: SQL injection (Critical)
Description: The login page is vulnerable to SQL injection(a common attack vector that uses
malicious SQL code for backend database manipulation to access information that
was not intended to be displayed). It is possible to bypass the login page with the
sql command a’ or ‘1’=’1. When the login page is vulnerable to sql injection other
users will be able to login with just usernames and without their password. This
can result in unauthorized access to sensitive data, such as: Passwords, credit card
number and personal information
System: http://testphp.vulnweb.com/login.php

Tools Used: Burpsuite

References: https://owasp.org/www-community/attacks/SQL_Injection

Proof of concept

Page 19 of 29
Mitigations

: Implement input validation and parameterized queries including prepared statements

. 1. Prepared Statements and Parameterization: Queries are built with placeholders (?) instead of directly embedding
user input. User input is provided separately as parameters. The database engine safely handles the query, preventing
malicious code execution
. 2. Input Validation and Sanitization: Always validate and sanitize user input: Remove or escape special characters that
could be used for injection (e.g., quotes, semicolons). Enforce allowed data types and formats.
3. Least Privilege Principle: Grant database users only the minimum permissions required. This minimizes potential
damage if an attacker gains unauthorized access.
4. Stored Procedures (cautiously): Stored procedures can be secure if implemented carefully. Store the complete logic
within the database. Pass sanitized parameters to the stored procedure.

Technical risk
Database Corruption or Manipulation: SQL injection could enable attackers to delete, modify, or insert data within the
database, corrupting

Business risk
Operational Disruptions: Manipulated or deleted data can interrupt daily operations, especially if it impacts critical
business functions, leading to productivity losses

Page 20 of 29
Finding EPT-008: SQL injection(Critical)
Description: The webpage http://testphp.vulnweb.com/product.php?pic=1 is vulnerable to SQL
injection. It is possible to view all the contents of other pages

system http://testphp.vulnweb.com/product.php?pic=1

Tools Used: Burpsuite

References: https://owasp.org/www-
community/attacks/SQL_Injection

Proof of concept

Page 21 of 29
Page 22 of 29
 Mitigations

 Useprepared statements (parameterized queries): Prepared statements separate the SQL code from the user
input.
 Validate and sanitize inputs: Rigorously examine all user inputs before incorporating them into SQL queries.
 Minimize database privileges
 Encrypt Data

Technical Risks
Data Leakage: An attacker can read, write, or delete the database contents through SQL injection attacks. This could
lead to the leakage of sensitive data such as user credentials, personal data, and the transaction history.

Business Risks
Loss of Customer Trust: In case the attackers use this vulnerability to gain access to sensitive information, then
customer trust will be lost, and there could be a loss of clients or users.

Reputational Damage: Reputational loss due to media reports on the attack; this may have negative repercussions on
partnerships and future business opportunities.

Page 23 of 29
 Finding EPT-009: PHP used is an out-dated version (Critical)
Description:
PHP version is quite outdated and poses several security risks due to known
vulnerabilities patched in recent versions.
System:
http://testphp.vulnweb.com/login.php

Tools Used: Kali linux -terminal

References: https://www.linkedin.com/pulse/how-outdated-
php-versions-can-affect-your-wordpress-site-
vibidsoft-
kdmif#:~:text=Running%20an%20outdated%20ve
rsion%20of,with%20the%20latest%20PHP%20rel
eases.

Proof of scope

Mitigations
Upgrading to a supported version of PHP (preferably the latest stable release) is strongly recommended to
ensure the server is secure and to benefit from performance improvements and bug fixes.

Technical risk

Lack of Security Patches: Any newly discovered vulnerabilities in PHP 5.6 will remain unpatched, increasing the
likelihood of successful exploitation

Business risk

Reputational Damage: If the application is compromised, customer trust could decrease, impacting the organization’s
reputation and customer retention.

Page 24 of 29
 Finding EPT-010: SSRF(Server-side Request Forgery) (high)
Description: Attackers can access files like /etc/passwd by specifying a path that triggers the
server to fetch the file's contents. Here the application reads URLs and returns the
raw content to the user..
System: http://testphp.vulnweb.com/

Tools Used: burpsuite

References: https://portswigger.net/web-security/ssrf

Proof of scope

Mitigations

Avoid direct file paths in requests. Instead, use an index or a reference ID that maps to a file path server-side.

Ensure that web applications have restricted access to sensitive system files. Web server permissions should be limited
to the minimum required.

Technical risk
Privilege Escalation: Although /etc/passwd does not directly contain passwords, attackers may use the information to
attempt brute-force attacks or find other weaknesses in the system.

Business risk
Unauthorized access to server files could expose sensitive data, harming the organization's reputation.

Page 25 of 29
 Finding EPT-011: Local File Inclusion(LFI) (high)
Description: Traversed the directory structure to access a sensitive system file (/proc/version),
which contains details about the operating system version which contains details
about the operating system version..
System: http://testphp.vulnweb.com/

Tools Used: Burpsuite

References: https://www.indusface.com/learning/file-inclusion-
attacks-lfi-
rfi/#:~:text=Local%20File%20Inclusion%20(LFI),
the%20file%20path%20to%20include.

Proof of scope

Mitigations
Only permit file requests from a predefined list of allowable files.

Technical risk

If the attacker can find a way to execute code on the server, LFI could escalate to Remote Code Execution

Business risk

Exposure of sensitive data can lead to reputational damage and legal repercussions, especially if customer or business
data is leaked.

Page 26 of 29
 Finding EPT-012: Weak Password Policy(High)
Description: The webpage follows a weak password policy. If a strong password policy is not
implemented, it can make the webpage easily vulnerable to attacks.

System: http://testphp.vulnweb.com/login.php

Tools Used: Web browser

References: https://cwe.mitre.org/data/definitions/521.html

Proof of scope

Page 27 of 29
Mitigations

 Create a password with minimum 8 characters.

 Password should contain special characters, numbers and symbols.
 Implement a password strength meter that gives users real-time feedback on the strength of their chosen
password
 Store passwords securely using a hashing algorithm.
 Implement Multi-Factor Authentication which asks the user to enter a one-time-password which is sent to their
registered mobile number or e-mail id

Technical risk

Data integrity and confidentiality breach: weak password policies lead to unauthorized access to data that may be
manipulated or disclosed without authorization.

Business risk

Reputational Damage: Customers and partners might lose trust in the organization after a breach, affecting customer
loyalty, market position, and brand value.

Security Weakness
 WeakPassword Policy
I successfully performed password guessing attacks against testphp login forms. It doesn’t have a strong password
policy. Users are even able to create password with just 4 characters.

 Missing Multi-factor Authentication

Multi-factor Authentication is missing in the login page. It enables the attacker to login to the account with only
username and password

Page 28 of 29
 Last Page

Demo Corp
BUSINESS CONFIDENTIAL Page 29 of 29
Copyright © TCM Security (tcm-sec.com)