Security Penetration Test report of

VULNWEB
Testphp.vulnweb.com

Version V1.0 - Jan 27th, 2019

Prepared By:
Thang Nguyen

Presented To:
SET 1821 class
 Table of contents
Execute Summary 3

Summary of Findings 4

Introduction 5

Findings 7
1. SQL Injection 7
1.1 SQL Injection in Artists page 7
1.2 SQL Injection in Categories page 8
2. Cross-site Scripting 9
3. Password data is being transmitted over HTTP. 11
4. Local File Inclusion in show image page 12
5. Cross-site scripting via remote file inclusion in show image page 13
6. Version of PHP is using an out-of-date 14
7. Version of Nginx is out-of-date. 14
8. Open Policy Crossdomain.xml Detected 15
9. Frame Injection 16
9.1 Frame Injection in guestbook page - text field 16
9.2 Frame Injection in guestbook page - name field 17
9.3 Frame Injection in list product page 18
10. [Possible] Source Code Disclosure (PHP) 19
11. Cross Site Scripting (Stored XSS) at show image page 20
12. Information Disclosure (phpinfo()) 21
13. Version of PHP is using an disclosure 22
14. Database Error Message Disclosure in list product page 23
15. Version of Nginx is disclosure. 23
16. Missing X-Frame-Options Header 24
17. [Possible] Internal IP Address Disclosure 25
18. [Possible] Cross-site Request Forgery 26
19. [Possible] Cross-site Request Forgery in Login Form 27
Execute Summary
The penetration test was performed on Testphp.vulnweb.com domain between 24th Jan
2019 and 26th Jan 2019. Domains was tested for 48 work hours. Reporting took 2 work hours.

Report Detail:

Version Implemented by Revision Approved Approved Reason

Date By Date

1.0 Thang Nguyen Jan 26th 2019 Init first

version

Risk Distribution:
Summary of Findings
No Description Risk
Level

1 SQL Injection in Artists page High

2 SQL Injection in Categories page High

3 Cross Site Scripting (Stored XSS) at guestbook page High

4 Cross Site Scripting (Stored XSS) at list products page High

5 Cross-site scripting via remote file inclusion in show image page High

6 Local File Inclusion in show image page High

7 Cross Site Scripting (Stored XSS) at show image page High

8 Password data is being transmitted over HTTP Medium

9 Version of PHP is using an out-of-date Medium

10 Version of Nginx is out-of-date Medium

11 Open Policy Crossdomain.xml Detected Medium

12 Frame Injection in guestbook page - text field Medium

13 Frame Injection in guestbook page - name field Medium

14 Frame Injection in list product page Medium

15 Frame Injection in show image page Medium

16 Source Code Disclosure (PHP) Medium

17 Information Disclosure (phpinfo() Medium

18 Version of PHP is using an disclosure Medium

19 Database Error Message Disclosure in list product page Medium

20 Version of Nginx is disclosure Medium

Introduction
This document constitutes final report for the Web Application Penetration Test performed on
Testphp.vulnweb.com domain, executed during the period of time that spans from 1st Oct to
10th Oct 2018.

The following sections describe the objectives of the tests performed, the scope of the work
done and provide general conclusions and recommendations.

Objectives & Methodologies performed a Web Application Penetration Test to:

● Identify the surface of attack of the systems undergoing the Penetration Testing
exercise.
● Identify the vulnerabilities of the systems undergoing the Penetration Testing exercise.
● Determine the feasibility of a particular set of attack vectors.
● Provide evidence of real status of the systems to the management of the company.

Among the checks performed over the Web Application, the following checks related to the most
common vulnerabilities (OWASP Top 10) were included:

A1 - Injection:​ Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile
data can trick the interpreter into executing unintended commands or accessing data without
proper authorization.

A2 - Broken Authentication:​ Application functions related to authentication and session

management are often implemented incorrectly, allowing attackers to compromise passwords,
keys, or session tokens, or to exploit other implementation flaws to assume other users'
identities temporarily or permanently.

A3 - Sensitive Data Exposure: ​Many web applications and APIs do not properly protect
sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be
compromised without extra protection, such as encryption at rest or in transit, and requires
special precautions when exchanged with the browser.

A4 - XML External Entities (XXE):​ Many older or poorly configured XML processors evaluate
external entity references within XML documents. External entities can be used to disclose
internal files using the file URI handler, internal file shares, internal port scanning, remote code
execution, and denial of service attacks.
A5 - Broken Access Control:​ Restrictions on what authenticated users are allowed to do are
often not properly enforced. Attackers can exploit these flaws to access nauthorized
functionality and/or data, such as access other users' accounts, view sensitive files, modify
other users' data, change access rights, etc.

A6 - Security Misconfiguration​: Security misconfiguration is the most commonly seen issue.

This is commonly a result of insecure default configurations, incomplete or ad hoc
configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information. Not only must all operating systems, frameworks, libraries, and
applications be securely configured, but they must be patched/upgraded in a timely fashion.

A7 - Cross-Site Scripting (XSS):​ XSS flaws occur whenever an application includes untrusted
data in a new web page without proper validation or escaping or updates an existing web page
with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows
attackers to execute scripts in the victim's browser which can hijack user sessions, deface web
sites, or redirect the user to malicious sites.

A8 - Insecure Deserialization:​ Insecure deserialization often leads to remote code execution.

Even if deserialization flaws do not result in remote code execution, they can be used to perform
attacks, including replay attacks, injection attacks, and privilege escalation attacks.

A9 - Using Components with Known Vulnerabilities:​ Components, such as libraries,

frameworks, and other software modules, run with the same privileges as the application. If a
vulnerable component is exploited, such an attack can facilitate serious data loss or server
takeover. Applications and APIs using components with known vulnerabilities may undermine
application defenses and enable various attacks and impacts.

A10 - Insufficient Logging & Monitoring:​ Insufficient logging and monitoring, coupled with
missing or ineffective integration with incident response, allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
Most breach studies show time to detect a breach is over 200 days, typically detected by
external parties rather than internal processes or monitoring.
As a baseline for testing the OWASP Application Security Verification Standard 3.0 was used
and the security verification level applied was ASVS Level 1 (Opportunistic).
Scope The consultants performed a Web Application penetration testing exercise on the
following web page:

The scope of this review was limited to a single Internet-facing web application portal. This is an
Security Practice and the specific instantiation of the portal we were asked to test was for the
Acunetix Web Vulnerability. The application is Internet facing and requires standard username
and password identity elements for secure access.

The landing page to the application under review was at the following addresses:

Application Landing Page

Acunetix Web Vulnerability http://testphp.vulnweb.com/index.php

Findings

Title: Show the nginx server version at the response header

Details​: The response header will show version of nginx and allow hacker to know more
about the server information.
Severity​: Low
Steps​:
1. Go to homepage: ​http://testphp.vulnweb.com/index.php
2. Check the response header

Request​:

● GET /index.php HTTP/1.1

● Host: testphp.vulnweb.com
● User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0)
Gecko/20100101 Firefox/65.0
● Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
● Accept-Language: en-US,en;q=0.5
● Accept-Encoding: gzip, deflate
● Referer: http:​//testphp.vulnweb.com/guestbook.php
● Connection: close
● Upgrade-Insecure-Requests: 1
Response​:

● HTTP/1.1 200 OK
● Server: nginx/1.4.1
● Date: Fri, 01 Mar 2019 14:13:48 GMT
● Content-Type: text/html
● Connection: close
● X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
● Content-Length: 4096

Recommended​: Hide the nginx server information from the response header.
Screenshot​:

Title: Folder file listing at /CVS (Directory listing at /CVS folder)

Details​: Show all files in the folder and allow hacker to see the list of files.
Severity​: Medium
Steps​:
1. Go to the page: ​http://testphp.vulnweb.com/CVS/
2. Check the content of the page response
Request​:

● GET /CVS/ HTTP/1.1

● Host: testphp.vulnweb.com
● User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0)
Gecko/20100101 Firefox/65.0
● Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
● Accept-Language: en-US,en;q=0.5
● Accept-Encoding: gzip, deflate
● Connection: close
● Upgrade-Insecure-Requests: 1

Response​:
 ● HTTP/1.1 200 OK
● Server: nginx/1.4.1
● Date: Fri, 01 Mar 2019 14:38:55 GMT
● Content-Type: text/html
● Connection: close
● Content-Length: 611
●
● <html>
● <head><title>Index of /CVS/</title></head>
● <body bgcolor=​"white"​>
● <h1>Index of /CVS/</h1><hr><pre><a href=​"../"​>../</a>
● <a href=​"Entries"​>Entries</a>
11-May-2011 10:27 1
● <a href="Entries.Log">Entries.Log</a>
11-May-2011 10:27 1
● <a href="Repository">Repository</a>
11-May-2011 10:27 8
● <a href="Root">Root</a>
11-May-2011 10:27 1
● </pre><hr></body>
● </html>

Recommended​: Hide / not display the file in folder CVS

Screenshot​:
Title: Store XSS at Add to your blog page
Details​: Hacker will able to submit the XSS payloads and return the XSS popup. There
is no encode or validation for the input data.
Severity​: High
Steps​:
1. Go to the page Add to your blog:
http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
2. Input the XSS payload (input data): ​<script>alert("testing")</script>
3. Submit and check the response data

Request​:

● POST /mutillidae/index.php?page=add-to-your-blog.php HTTP/1.1

● Host: 127.0.0.1
● User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0)
Gecko/20100101 Firefox/65.0
● Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
● Accept-Language: en-US,en;q=0.5
● Accept-Encoding: gzip, deflate
● Referer: http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php
● Content-Type: application/x-www-form-urlencoded
● Content-Length: 125
● Connection: close
● Cookie: showhints=1; PHPSESSID=bf4cf5106d36dc930516c44288c13b9d
● Upgrade-Insecure-Requests: 1
●
● csrf-token=&blog_entry=​%3Cscript%3Ealert%28%22testing%22%29%3C%2Fscript%3E​&add-
to-your-blog-php-submit-button=Save+Blog+Entry
●

Response​:

● <tr class="report-header">
● <td>&nbsp;</td>
● <td>Name</td>
● <td>Date</td>
● <td>Comment</td>
● </tr><tr>
● <td>1</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2019-03-18 22:03:32</td>
● <td
ReflectedXSSExecutionPoint="1">​<script>alert("testing")</script>​</td>
 ● </tr>
● <tr>
● <td>2</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2019-03-18 21:39:35</td>
● <td
ReflectedXSSExecutionPoint="1">​<script>alert("kiemthu111")</script>​</td>
● </tr>
● <tr>
● <td>3</td>
● <td
ReflectedXSSExecutionPoint="1">anonymous</td>
● <td>2009-03-01 22:27:11</td>
● <td ReflectedXSSExecutionPoint="1">An
anonymous blog? Huh? </td>
● </tr>
●

Recommended​:

◉ Filter input parameters

◉ Filter output based on input parameters
◉ Encode output <script> gets converted to &lt;script&gt;

Screenshot​: