Vulnerability Assessment &

Penetration Testing Report

For ClientName

1
 About Eventus
We are pleased to introduce ourselves as

“Your Customer Success Partner in Cyber Security.”

Established in the year 2017, we are team of highly skilled

professionals who deliver excellence in next generation
cyber security services and custom-tailored solutions for
your enterprises by defining proof of value and measuring
it continuously to achieve customer success.

At Eventus the delivery team has certifications from

Offensive Security, AWS, Google, Fortinet, Trend Micro, EC-
Council, ISACA, ISC2, ISO. This provides and assurance of
provision of the services with high quality and in-
accordance with the industry standards.

Eventus is also empanelled by CERT-In for providing

information Security Auditing Service.

Below is “Our Engagement Model”:

Cyber Resilience: Red Teaming, Breach Attack Simulation,

Adversary Services, Penetration Testing, OSINT, Application
Security, Cloud Security, DevSecOps practices

Cyber Defense: Powered by Trend Micro SIEM and SOAR

platform delivering 24x7 Monitoring, Deep Analysis,
Incident Response, Threat Hunting, Threat intelligence,
Custom playbooks and incident lifecycle support and
Digital Forensics. We also provide Managed XDR Services.

Customer Success: Proactive Health assessment, Solution

Effectiveness, Migration and Deployment services,
Customer enablement, Cloud Posture Assessment,
Security Maturity Assessment

At Eventus Security, we deliver a comprehensive engagement model for cyber security which starts with
helping enterprise to assess the effectiveness of existing cyber security solutions and identifying the gap.
We provide services out customers’ needs to go beyond cyber security to become cyber resilient,
helping clients to identify, prioritize, emulate and eliminate threats more effectively and at more
advanced levels.

We thank you for considering our security services and requesting a proposal. We look forward to
extending the expertise of our passionate, world-class professionals to achieve your security objectives.

2
Maturity Model
Below are the assessment types which can enterprise or organization can opt to understand the
current security posture. The assessment types are in increasing order where Adversary emulation
offers full in depth understanding of the resiliency of the enterprise and vulnerability scanning acts as
the enablement to understand the security posture.

With more refine tuning the assessment type Over the time of evolution the assessment type has been
clubbed into Red Team Exercise which includes vulnerability assessment, penetration testing and
adversary emulation. These whole assessment types fit into the continuous evaluation phase of red
teaming exercise.

Vulnerability Scanning: In this assessment the goal is to identify known vulnerabilities on target
systems and applications.

Penetration Testing: Penetration Testing goes a step further and exploits the vulnerabilities identified.
This is the main differentiator from vulnerability assessment where vulnerabilities are only being
verified. Penetration Testing involves exploiting vulnerabilities under controlled circumstances.

Adversary Emulation: Adversary emulation is a type of ethical hacking engagement where a Red Team
imitates how an attacker operates, leveraging frameworks like MITRE ATT&CK to identify specific
tactics, techniques, and procedures (TTPs) that a real threat actor might use against an organization.
Rather than focusing on attacks less likely to occur, these engagements draw upon Cyber Threat
Intelligence to identify adversaries with the intent, opportunity, and capability to attack.

3
Document Details
This report remains the property of Eventus Security and should not be redistributed outside the
organization without the explicit permission of the Information Security Testing team.

Document History
Below table outlines the version history of the document.

Version Date Author Remark

0.1 02/08/2023 Chinmay Patkar Document Creation (Draft)
0.2 03/08/2023 Nikhil Raut Review Comments
1.0 04/08/2023 Chinmay Patkar Document Release

4
Table of Contents
Project Summary ..................................................................................................................................... 6
Technical Findings ................................................................................................................................... 8
Appendix A | Open Port Information for In-Scope Application ............................................................ 24
app.com ................................................................................................................................................ 24
Appendix B | Risk Definitions................................................................................................................ 25
Appendix C | Tool Usage ....................................................................................................................... 27
Appendix D | Eventus Contact Information .......................................................................................... 28
Disclaimer.............................................................................................................................................. 29

5
Project Summary
Eventus performed an analysis of client web application to identify vulnerabilities, determine the level
of risk they present to client and provide actionable recommendations to reduce this risk. Eventus
compiled this report to provide client with detailed information on each vulnerability discovered within
the web application penetration testing, including potential business impacts and specific remediation
instructions.

Program Objectives
Eventus’s primary goal within this project was to provide client with an understanding of the current
level of security in the web application.

Eventus completed the following objectives to accomplish this goal:

▪ Identifying application-based threats to and vulnerabilities in the web application.

▪ Comparing client current security measures with industry best practices
▪ Providing recommendations that client can implement to mitigate threats and vulnerabilities and
meet industry best practices.

Scope and Timeframes

Testing and verification was performed between July 24, 2023 to August 01, 2023. The scope of this
project was limited to the p2p web application.

Eventus conducted the tests on the in-scope web application. All other applications and servers were
out of scope. All testing and verification were conducted from outside of client.

Below is the web application URL in scope.

# URL
1 https://app.com/

Summary of Strengths
During our assessment, we observed the following properties of the application that are well designed
and serve towards its strengths:

▪ For most of file upload functionality properly sanitise file types.

Summary of Findings (Weakness)

Eventus’s assessment for the client web application penetration testing revealed the following
vulnerabilities:

▪ 1 High severity vulnerabilities

▪ 3 Medium severity vulnerabilities
▪ 3 Low severity vulnerabilities
▪ 1 Informational severity vulnerabilities

6
 VULNERABILITY NAME SEVERITY CVSS SCORE
Application is vulnerable to Cross-Site
High 8.3 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H)
Scripting attack
Application is vulnerable to CSV Injection 6.8 /AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L
Medium
attack
Application is vulnerable to HTML 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
Medium
injection attack
Application's Response reveals sensitive 6.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Medium
information
Application is vulnerable to Simultaneous
Low 2.0/ AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
login
JWT Token Expiry Misconfigured Low 3.5/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Low
Valid user's details can be enumerated 3.7 /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Allows Disposable Email Addresses Informational 0.0 /AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

The following table lists the OWASP Top 10 vulnerabilities and indicates which issues were identified
in the <appname> application.

CATEGORY FOUND
A1-Broken Access Control No
A2-Cryptographic Failures No
A3-Injection Yes
A4-Insecure Design No
A5-Security Misconfiguration Yes
A6-Vulnerable and Outdated Components No
A7-Identification and Authentication Failures No
A8-Software and Data Integrity Failures No
A9-Security Logging and Monitoring Failures No
A10-Server-Side Request Forgery (SSRF) No

7
Technical Findings
This document provides information on the narrative and description of the weaknesses which were
exploited to gain unauthorized access to sensitive data or protected systems in the Client environment
via web application Penetration Testing. The intent was to closely simulate an adversary and provide
sufficient details to client team.

Application is vulnerable to Cross-Site Scripting attack

Cross-site Scripting (XSS) is a client-side code injection attack. The adversary aims to execute malicious
scripts in a web browser of the victim by including malicious code in a legitimate web page or web
application. The web application help field was affected by cross site scripting.

Affected URL/IP: https://app.com/

Severity: High

CVSS Score: 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)

Business Impact: An adversary can execute code in a victim’s browser and can perform malicious
activity, posing serious security threat to the application.

Technical Impact: Adversary can affect the web application help field and perform other attacks like
social engineering, cookie stealing etc.

Suggested Remediation: The following recommendations will help to mitigate the risk -

1. Strong Input Validation

2. Escaping/encoding

3. Implement proper Content-security-policy

4. Implement HTTPONLY flag in session cookie

Steps to Reproduce:

Step 1: Under settings tab select user list and enter the payload “<iframe
src="javascript:alert(document.cookie)"></iframe>“ in the “Title” field and save the form field.

8
Step 2: Visit the Org chart and select the user in which payload entered.

Step 3: After select the user the entered payload was successfully executed.

Reference Link:

https://www.softwaretestinghelp.com/html-injection-tutorial/

https://www.javatpoint.com/how-to-remove-special-characters-from-string-in-java

https://www.smashingmagazine.com/2011/01/keeping-web-users-safe-by-sanitizing-input-data/

9
Application is vulnerable to CSV Injection attack
Many web applications provide functionality to export data onto spreadsheet files such as .CSV or .XLS
which may contain sensitive information. In case of a CSV Injection attack, (output of) exporting the
data to a spreadsheet could compromise the victim's machine (untrusted output). CSV Injection occurs
when the data in a spreadsheet cell is not properly validated prior to export. The attacker usually
injects a malicious payload (formula) into the input field. Once the data is exported, the spreadsheet
executes the malicious payload on the assumption of a standard macro. This leads to the execution of
arbitrary commands on target machine potentially even leading to a complete 'command and control'
on the target system.

Affected URL: https://app.com/

Severity: Medium

CVSS Score: 6.8 /AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

Business Impact: Attackers might exploit CSV injection to gain unauthorized access to sensitive
information stored in the application's database or linked systems. This could lead to the theft of
confidential data, including customer records, financial details, or intellectual property.

Technical Impact: CSV injection allows attackers to inject malicious data into the CSV file. This can lead
to data corruption, altering the intended values, and disrupting data integrity. Users and applications
relying on this data might make decisions based on incorrect information.

Suggested Remediation:

The following recommendations will help to mitigate the risk –

1. To remediate it, ensure that no cells begin with any of the following characters:
• Minus (“-“)
• At (“@”)
• Equals to (“=”)
• Plus (“+”)
2. Pay attention and inspect the link carefully before clicking.
3. Don’t click attachments in emails unless you know exactly who sent it and what it is.

10
Steps to Reproduce:

Step 1: Below snapshot shows that user was able to add master type with name:” = 10+20cmd|’/C
Calc’!A0 ” in the application.

Step 2: Below snapshot shows that the record is successfully submitted.

11
Step 3: After successfully entering the csv injection payload under same tab click on export list option
and the list is sent to the email.

Step 4: After opening the downloaded file Microsoft Excel security notice pop’s up, then clicked on
enable.

12
Step 5: The payload was executed successfully, and calculator application was opened.

Reference Link:

https://owasp.org/www-community/attacks/CSV_Injection

https://affinity-it-security.com/how-to-prevent-csv-injection/

13
Application is vulnerable to HTML injection attack
In the HTML injection attack only allows the injection of certain HTML tags. When an application does
not properly handle user supplied data, an attacker can supply valid HTML code, typically via a
parameter value, and inject their own content into the page. This attack is typically used in conjunction
with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's
trust.

Affected URL/IP: https://app.com/

Severity: Medium

CVSS Score: 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Business Impact: An adversary can execute code in a victim’s browser and can perform malicious
activity, posing serious security threat to the application.

Technical Impact: An adversary can add malicious link and can perform phishing attack.

Suggested Remediation:

The following recommendations will help to mitigate the risk –

1. Create a whitelist of characters needed by the application. Once this white-list is ready the
application should disallow all requests containing any other character apart from the white-list.

2. The application should not accept any script, special characters, html in fields whenever not
required.

3. It should escape the special characters that may prove to be harmful.

4. Following are some of the main characters used in scripts that must be escaped: < > ( ) ' "" / \ *; = {
} ` (back tick) % + ^! - \x00-\x20 (x is hexadecimal notation) [Includes Space, Tab, Carriage Return, Line
Feed].

Steps to Reproduce:

Step 1: Access the User list field under settings tab and enter the payload “<li><a
href="https://www.example.com">Visit example.com!</a></li> “ in the Department field and save
the form.

14
Step 2: Visit the Org chart and select the user in which payload entered.

Step 3: After selecting the user the entered payload was successfully executed and is reflected.

15
Reference Link:

https://www.softwaretestinghelp.com/html-injection-tutorial/

https://www.javatpoint.com/how-to-remove-special-characters-from-string-in-java

https://www.smashingmagazine.com/2011/01/keeping-web-users-safe-by-sanitizing-input-data/

16
Application's Response reveals sensitive information
Sensitive information in Request and Response should be encrypted with proper technique with
salting. Eg : Password, Account Details, Personal Identity information, Etc

Affected URL/IP: https://app.com/

Severity: Medium

CVSS Score: 6.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Business Impact: An adversary can decrypt the SSL traffic or find information in browser memory or
cache

Technical Impact: The scale of impact from a Sensitive Information Disclosure event is limited only by
the type of sensitive information disclosed and a malicious actor’s ability to leverage it.

For example, the fallout could be as minor as a local pathname being disclosed in a stack trace, allowing
a malicious actor to improve their knowledge of the target’s implementation details, right through to
a full-blown data leak involving millions of customers’ confidential data.

Suggested Remediation:

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

Steps to Reproduce:

Step 1: Below screenshot shows that applications response reveals sensitive information such as Jira
Client ID, Slack ID etc.

Reference Link:

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-
Sensitive_Data_Exposure.html

https://cwe.mitre.org/data/definitions/312.html

17
https://knowledge-
base.secureflag.com/vulnerabilities/sensitive_information_exposure/sensitive_information_disclosu
re_vulnerability.html

18
Application is vulnerable to Simultaneous login
Application allows the same user to login simultaneously from different location at the same time.

Affected URL/IP: https://app.com/

Severity: Low

CVSS Score: 2.0/ AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Business Impact: An attacker can perform malicious activities on behalf of a valid user.

Technical Impact: Concurrent logins can pose security risks, especially if sensitive or confidential
information is involved. For example, if an attacker gains unauthorized access to a user's account, they
can access sensitive data, manipulate settings, or conduct fraudulent activities.

Suggested Remediation:

Simultaneous login should be disabled. User should only be able to login from one place at a time.

Steps to Reproduce:

Step 1: Below snapshot shows that at same time one application simultaneously login in different web
browser.

Reference Link:

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

19
JWT Token Expiry Misconfigured
JWTs are used for a variety of purposes, including authentication and authorization. They are often
used in modern web applications to transmit information between the client and the server securely.

Insufficient token Expiration is when a web site permits an adversary to reuse old session credentials
or session IDs for authorization

Affected URL/IP: https://app..com/

Severity: Low

CVSS Score: 3.5/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Business Impact: A JWT token that has expiration for more than 15 minutes is dangerous if the token
is stolen then someone can always access the user’s data
Technical Impact: A JWT token that never expires is dangerous if the token is stolen then someone
can always access the user's data. Quoted from JWT RFC (RFC 7519): The “exp” (expiration time) claim
identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.

Suggested Remediation: Please ensure the JWT access token is only valid for a finite period of time.

The expiration value should be 1200 seconds or 20 minutes as per best practice.

Steps to Reproduce:

Step 1: After intercepting the login request JWT token was generated in response.

20
Step 2: Simplified JWT token shows that the expiry of the token is for almost 1 month i.e 26 August
2023.

Step 3: Checking the value in EPOCH Time shows the value of token expiration.

Reference Link:

https://medium.com/@byeduardoac/managing-jwt-token-expiration-
bfb2bd6ea584#:~:text=A%20JWT%20token%20that%20never,NOT%20be%20accepted%20for%20pr
ocessing.

21
Valid user's details can be enumerated
The application does not handle all errors properly. If the application displays different error messages
when a wrong username or a wrong password are entered then valid user's details can be enumerated.

Affected URL/IP: https://ap.com/

Severity: Low:

CVSS Score: 3.7 /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Business Impact: An adversary can enumerate and can use this information to login into the
application.

Technical Impact: Username enumeration is a common application vulnerability which occurs when
an adversary can determine if usernames are valid or not.

Suggested Remediation:

All errors should be handled by the application and a custom error message should be displayed that
does not reveal any important information.

Note: Suggested generic message for the scenario-

“Password reset link will be sent to this email ID if account exist”.

Steps to Reproduce:

Step 1: Below snapshot shows that valid user details can be enumerated on forgot password field.

Reference Link:

https://blog.rapid7.com/2017/06/15/about-user-enumeration/

22
Allows Disposable Email Addresses
Disposable email addressing, also known as DEA or dark mail, refers to an approach where a unique
email address is used for every contact, entity, or for limited times or numbers of uses. As is a service
that allows to receive email at a temporary address that self-destructed after a certain time elapses.

Affected URL/IP: https://app..com/

Severity: Informational

CVSS Score: 0.0 /AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

Business Impact: Disposable email addresses can drastically thwart efforts to reach potential
customers—and it can also skew email list analytics. In other words, a business owner may have
thousands of subscribers on his or her list with only a small percentage of them reading their emails.

Technical Impact: Adversary can use disposable email address to create a false user account.

Suggested Remediation:

The following mitigations are you can reject form submissions that contain temporary domains within
the addresses. There are references online that list out these temporary email domains as well as
services that specifically aid in blocking these temporary domains for you.

Another step is to get your list validated regularly through services such as Webulla, which comb
through your list for invalid and expired domains.

Steps to Reproduce:

Step 1: Below snapshot shows that user email id registered with disposable email address
“mipax20196@rc3s.com”.

Reference Link:

https://www.impressionwise.com/kb/threats/disposable-email-accounts.html
https://www.business2community.com/brandviews/act-on/temporarydisposable-email-addresses-
effect-deliverability-01498755

23
Appendix A | Open Port Information for In-Scope Application
app..com

24
Appendix B | Risk Definitions
Eventus uses CVSS scores to determine risks of each of the vulnerability. The Common Vulnerability
Scoring System (CVSS) provides a numerical (0-10) representation of the severity of an information
security vulnerability. CVSS are comprised of three sub-score elements – Exploitability, Scope, and
Impact.

Exploitability – Exploitability metrics are made up of characteristics of the vulnerable component,

with Exploitability being made up of four further sub-components.

▪ Attack Vector – this score varies based on the level of access required to exploit a vulnerability.
The score will be higher for exploits that can be executed remotely (i.e. outside of a company’s
network) than for exploits that require physical presence (i.e. must have access to a physical port
on an appliance or access to a local network inside of a private data center).
▪ Attack Complexity – this score varies based on the factors outside of the attacker’s control that
are required to exploit the vulnerability. The score will be higher for exploits that require additional
work on the attacker’s part, such as theft of a shared secret key or a man-in-the-middle attack,
than for an attack that requires no such additional effort.
▪ Privileges Required – this score varies based on the privileges required for the attacker to conduct
the exploit. A vulnerability that requires administrative privileges to exploit will have a higher score
than an exploit that requires no authentication or escalated privileges on the attacker’s part.
▪ User Interaction – this score varies based on whether the attacker must recruit either a willing or
unwitting participant in order to complete their task. The score will be higher if the attacker can
operate autonomously, with no participation from a user.

Scope – Scope relates to whether a vulnerability in one component can propagate to other
components. The scope score is higher if propagation is possible. Examples of scope include ability to
access and exploit the underlying operating system after exploiting a vulnerability in a software
application, or an attacker accessing a backend database after successfully exploiting a vulnerability in
a web server.

Impact – Impact focuses on the actual outcome that an attacked can achieve as a result of exploiting
the vulnerability in question. Impact metrics are comprised of three sub-metrics – Confidentiality,
Integrity, and Availability.

▪ Confidentiality – this score varies on the amount of data that the attacker gains access to. It will
be higher if all data on the impacted system is accessible by the attacker, lower if no data is
accessible.
▪ Integrity – this score varies based on the ability of the attacker to alter or change data on the
impacted system. If complete, or severely consequential modifications to data are possible, this
score will be high.
▪ Availability – this score varies based on the loss of availability of the exploited system. The score
will be high if the system is no longer accessible or usable for authorized users as a result of the
attack.

25
Below table outlines mapping CVSS score with vulnerability severity.

CVSS Score Range Severity Category

0.0 Informational / Observational
0.1 to 3.9 Low
4.0 to 6.9 Medium
7.0 to 8.9 High
9.0 to 10.0 Critical

26
Appendix C | Tool Usage
The following tools were utilized during the assessment:

Tool Description
Nmap To perform port scanning.
Modified Open-Source scripts specially for Défense
Custom Scripts
evasion.
Nessus To perform common vulnerability misconfigurations.
Intercepting proxy to observe and manipulate
Burp Suite Professional
communication between browser and application.
Kali Linux is OS consisting of various toolset for
Toolset available in Kali Linux
performing various exploitation activities.

27
Appendix D | Eventus Contact Information
Please contact Eventus with any questions regarding the findings, analysis, or recommendations
contained in this report.
1. Akshay Kathavale
Account Manager
Email: akshay.kathavale@eventustechsol.com
Mobile: +91- 8446164163

2. Chinmay Patkar
Security Consultant
Email: chinmay.patkar@eventustechsol.com
Mobile: +91-8082282294

3. Nikhil Raut
Security Delivery Lead
Email: nikhil.raut@eventustechsol.com
Mobile: +91-8956652763

4. Jay Thakker
Practice Head
Email: jay.thakker@eventustechsol.com
Mobile: +91-7977020491

28
Disclaimer
It should be noted that it is not possible to completely guarantee the security of any network, system,
or application, and as such this report does not constitute and should not be taken as a guarantee of
the security of the tested systems and applications. It should also be noted that whilst some risks may
be reported as high from a technical perspective, from a business perspective it may be considered
acceptable. Also, from the mitigation perspective it is expected to fix the vulnerability throughout the
application and not only on reported instances.

29