Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VULNWEB
Testphp.vulnweb.com
Prepared By:
Thang Nguyen
Presented To:
SET 1821 class
Table of contents
Execute Summary 3
Summary of Findings 4
Introduction 5
Findings 7
1. SQL Injection 7
1.1 SQL Injection in Artists page 7
1.2 SQL Injection in Categories page 8
2. Cross-site Scripting 9
3. Password data is being transmitted over HTTP. 11
4. Local File Inclusion in show image page 12
5. Cross-site scripting via remote file inclusion in show image page 13
6. Version of PHP is using an out-of-date 14
7. Version of Nginx is out-of-date. 14
8. Open Policy Crossdomain.xml Detected 15
9. Frame Injection 16
9.1 Frame Injection in guestbook page - text field 16
9.2 Frame Injection in guestbook page - name field 17
9.3 Frame Injection in list product page 18
10. [Possible] Source Code Disclosure (PHP) 19
11. Cross Site Scripting (Stored XSS) at show image page 20
12. Information Disclosure (phpinfo()) 21
13. Version of PHP is using an disclosure 22
14. Database Error Message Disclosure in list product page 23
15. Version of Nginx is disclosure. 23
16. Missing X-Frame-Options Header 24
17. [Possible] Internal IP Address Disclosure 25
18. [Possible] Cross-site Request Forgery 26
19. [Possible] Cross-site Request Forgery in Login Form 27
Execute Summary
The penetration test was performed on Testphp.vulnweb.com domain between 24th Jan
2019 and 26th Jan 2019. Domains was tested for 48 work hours. Reporting took 2 work hours.
Report Detail:
Risk Distribution:
Summary of Findings
No Description Risk
Level
5 Cross-site scripting via remote file inclusion in show image page High
The following sections describe the objectives of the tests performed, the scope of the work
done and provide general conclusions and recommendations.
● Identify the surface of attack of the systems undergoing the Penetration Testing
exercise.
● Identify the vulnerabilities of the systems undergoing the Penetration Testing exercise.
● Determine the feasibility of a particular set of attack vectors.
● Provide evidence of real status of the systems to the management of the company.
Among the checks performed over the Web Application, the following checks related to the most
common vulnerabilities (OWASP Top 10) were included:
A1 - Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile
data can trick the interpreter into executing unintended commands or accessing data without
proper authorization.
A3 - Sensitive Data Exposure: Many web applications and APIs do not properly protect
sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be
compromised without extra protection, such as encryption at rest or in transit, and requires
special precautions when exchanged with the browser.
A4 - XML External Entities (XXE): Many older or poorly configured XML processors evaluate
external entity references within XML documents. External entities can be used to disclose
internal files using the file URI handler, internal file shares, internal port scanning, remote code
execution, and denial of service attacks.
A5 - Broken Access Control: Restrictions on what authenticated users are allowed to do are
often not properly enforced. Attackers can exploit these flaws to access nauthorized
functionality and/or data, such as access other users' accounts, view sensitive files, modify
other users' data, change access rights, etc.
A7 - Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted
data in a new web page without proper validation or escaping or updates an existing web page
with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows
attackers to execute scripts in the victim's browser which can hijack user sessions, deface web
sites, or redirect the user to malicious sites.
A10 - Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with
missing or ineffective integration with incident response, allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
Most breach studies show time to detect a breach is over 200 days, typically detected by
external parties rather than internal processes or monitoring.
As a baseline for testing the OWASP Application Security Verification Standard 3.0 was used
and the security verification level applied was ASVS Level 1 (Opportunistic).
Scope The consultants performed a Web Application penetration testing exercise on the
following web page:
The scope of this review was limited to a single Internet-facing web application portal. This is an
Security Practice and the specific instantiation of the portal we were asked to test was for the
Acunetix Web Vulnerability. The application is Internet facing and requires standard username
and password identity elements for secure access.
The landing page to the application under review was at the following addresses:
Findings
Request:
● HTTP/1.1 200 OK
● Server: nginx/1.4.1
● Date: Fri, 01 Mar 2019 14:13:48 GMT
● Content-Type: text/html
● Connection: close
● X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
● Content-Length: 4096
Recommended: Hide the nginx server information from the response header.
Screenshot:
Response:
● HTTP/1.1 200 OK
● Server: nginx/1.4.1
● Date: Fri, 01 Mar 2019 14:38:55 GMT
● Content-Type: text/html
● Connection: close
● Content-Length: 611
●
● <html>
● <head><title>Index of /CVS/</title></head>
● <body bgcolor="white">
● <h1>Index of /CVS/</h1><hr><pre><a href="../">../</a>
● <a href="Entries">Entries</a>
11-May-2011 10:27 1
● <a href="Entries.Log">Entries.Log</a>
11-May-2011 10:27 1
● <a href="Repository">Repository</a>
11-May-2011 10:27 8
● <a href="Root">Root</a>
11-May-2011 10:27 1
● </pre><hr></body>
● </html>
Request:
Response:
● <tr class="report-header">
● <td> </td>
● <td>Name</td>
● <td>Date</td>
● <td>Comment</td>
● </tr><tr>
● <td>1</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2019-03-18 22:03:32</td>
● <td
ReflectedXSSExecutionPoint="1"><script>alert("testing")</script></td>
● </tr>
● <tr>
● <td>2</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2019-03-18 21:39:35</td>
● <td
ReflectedXSSExecutionPoint="1"><script>alert("kiemthu111")</script></td>
● </tr>
● <tr>
● <td>3</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2009-03-01 22:27:11</td>
● <td ReflectedXSSExecutionPoint="1">An
anonymous blog? Huh? </td>
● </tr>
●
Recommended:
Screenshot: