Project Report of DISA 3.

0 Course

Vulnerability Assessment and Penetration Testing Page1of27

 CERTIFICATE
Project report of DISA 3.0 Course
This is to certify that we have successfully completed the DISA 3.0 course training
conducted at: ICAI’s Digital Learning Hub Portal, from 23rdAugust 2021 to
11thSeptember 2021 and we have the required attendance. We are submitting the
project titled:Vulnerability Assessment and Penetration Testing.

We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the
project. We also certify that this project report is the original work of our group and each
one of us have actively participated and contributed in preparing this project. We have
not shared the project details or taken help in preparing a project report from anyone
except members of our group.

Name of the Membership DISA Sd/-

Member Number Reference
Number

CA Priyank 604225 67549 Sd/- Priyank

Prakashraj Mehta
Mehta

CA Venkateswararao 245137 67094 Sd/- Venkateswararao

Chimuturi Chimuturi

CA Mohit Bansal 561439 67491 Sd/- Mohit Bansal

Place: Virtual Batch

Date: 29/08/2021

Vulnerability Assessment and Penetration Testing Page2of27

 Vulnerability Assessment
and
Penetration Testing

Vulnerability Assessment and Penetration Testing Page3of27

 Table of Contents

A. Details of CaseStudy/Project(Problem) Page No.5

B. Project Report(solution)

S. No. Particulars Page No.

1 Introduction 6-7

2 Auditee Environment 8-10

3 Background 11

4 Situation 12

5 Terms and Scope of assignment 13-14

6 Logistic arrangements required 15-16

Methodology and Strategy adapted for execution of
7 17-19
assignment

8 Documents reviewed 20

9 References 21

10 Deliverables 22

11 Format of Report/Findings and Recommendations 23-26

12 Conclusion 27

Vulnerability Assessment and Penetration Testing Page4of27

 Project Report
Details of Case Study/Project (Problem)

Conducting Vulnerability Assessment and Penetration Testing

Shipkart is a Bangalore based E-commerce company. The company focuses on salesof

a large variety of product categories such as consumer electronics, fashion, home
essentials, groceries, and lifestyle products. The company is performing well and the
managementofthecompanyisoftheviewthatitcanachieveevengreaterheightsinthe times to
come. The Management is currently exploring options to expand their IT Infrastructure
and upgrade their current system in place with the newtechnologies.

Nowadays running a business online requires special attention from organization to

ensure the protection of business operations they carry out as they deal with customers’
bank account details, credit card numbers and other personal information. Even though
e-commerce solutions are convenient in use, the complexity of their structure implies an
extreme susceptibility to cyber threats that are evolving in volume and sophistication.
Vulnerability assessment can help to maintain a secure network for the entire e-
commerce ecosystem. However, there are specific features to take into account when
evaluating network security for e-commerce. The company is totally dependent on its IT
infrastructure due to its nature of business. Implementing a new system may lead to
additional vulnerabilities in systems and make them prone to malicious attacks.

To identify the vulnerabilities in the system, the management has decided to conduct a
vulnerability assessment and penetration testing in its IT Infrastructure system.

Vulnerability Assessment and Penetration Testing Page5of27

Project Report (Solution)

1. Introduction:

Shipkart has grown to become one of the largest E-commerce companies in India. The
company initially focused on online book sales before expanding into other product
categories such as consumer electronics, fashion, home essentials, groceries, and
lifestyle products. Shipkart has identified five core values - Integrity, Respect, Result
Orientation, Innovation and Collaboration – which form the foundation of their corporate
philosophy. From the way their staff work together to the way they deliver their products
and partner with their customers to ensure their success, these values underpin
everything they do. These demonstrate Shipkart’s commitment to creating a strong
corporate culture and long-term partnerships which deliver true value to their customers.

There are three product sourcing strategies followed by Shipkart

1. Work withwholesaler
2. Work with amanufacturer
3. Try handmadeproducts

Further, smooth functioning of the business is dependent on proper management of the

logistics and the IT infrastructure.

Vulnerability Assessment and Penetration Testing Page6of27

AUDIT ENGAGEMENT TEAM

We at M/s SGG & Co LLP (“Firm”), are practicing Chartered Accountants, based at New
Delhi.WehaveanimmenseandvastexperienceinthefieldsofInformationSystemAudit (“IS
Audit”), drafting and implementation of IS Security Policies, Statutory Audit, Internal
Audit,TaxAudit,BankAuditandConsultancyforProjectFinance,andotherprofessional
services.

We are a firm of 3 Chartered Accountants as partners, 9 Qualified Assistants, and other

staff as a part of our professional team.

Partner Qualification Brief about the Partner

CA M.Com, FCA, DISA, The senior most partner of our firm having a
Aditya CISA, LLB, professional experience of 23 years in the fields of
Goyal Statutory Audit of Corporates, Information System
Audits, GRC Implementation Statutory Auditof
Nationalized Banks, IS Audit and related fields.
CA Rahul B.Com, FCA, DISA, A practicing Chartered Accountant for the past 20
Shetty FAFD years with immense experience in the fields of
Corporate Governance, Statutory Audit in ERP
environments, Forensic Audits. He has wide
knowledge in CAAT techniques and its related
applications.
CA B.Com, FCA, DISA, The youngest partner of our firm having a
Princy CISA,LLB,LLM professional experience of 9 years. She commands
Jain in the fields of Forensic Audit, InformationSystems
Audit and Statutory Audit of various Entities.

Vulnerability Assessment and Penetration Testing Page7of27

2. AuditeeEnvironment

Structure of the Organization

The Company is based out of Bangalore and is headed by a Board consisting of Six
directors, who foresee all the necessary operations of the company. All of them have
soundknowledgeofthebusinessneedsandarewellversedwiththeupcomingchanges in the
industry. Presently the company has around 10,000 employees to manage the business
efficiently and overalloperations.

The company also has an IT steering committee which consists of senior executives to
direct, review, and approve IT strategic plans, oversee major initiatives, and allocate
resources. It is not involved in day-to-day management of the IT organization.

IT Policies and Procedures

● The employees are restricted from using any kind of external devices such as pen
drives, hard disks into thesystem.
● Employees should have a strong password and use internet searchingresponsibly.
● All employees are expected to comply with the IT Policy rules and guidelines while
purchasing, using and maintaining any equipment or software purchased or provided
by theorganization.
● Any employee who notices misuse or improper use of equipment or software within
the organization must inform his/her Reporting Manager(s)immediately.
● Network security is enabled in all PCs through Firewall, Web Security and Email
Securitysoftware.
● Employees are expected to undertake appropriate security measures as enlisted in
the ITPolicy.
● IT Dept. is expected to maintain an incremental backup of all servers with at least4
copies of all servers. At any time, 4 backups of all servers must bemaintained.
● Employees are expected to make sure their Antivirus is updated regularly. TheIT
Dept. should be informed if the Antivirusexpires.
● Username and password allotted to an employee will be deleted
uponresignation/termination/retirement from theorganization.

Vulnerability Assessment and Penetration Testing Page8of27

 Technology Infrastructure

The company’s technology infrastructure comprises of briefly the following components

● Software components used: Content management systems, Web analytics,

Text analytics, Application Programming Interface (API), Database server,
Middleware’s etc. Transaction processing, communication (https, messaging),
data base, applicationmiddleware
● Hardware components used: Servers, proxy servers, load balancing systems.
Firewalls, encryption devices and interactive voice response unitsetc.

IT infrastructure of Shipkart

Architectural framework of Shipkart consists of various resources like DBMS, data

repository, computer languages, software agent-based transactions, monitors or
communication protocols to facilitate the integration of data and software for better
applications.

Further there are six layers of IT infrastructure of Shipkart

(I) Applicationservices

Type of e- commerce application implemented. i.e., consumer to business application,

business to-business application and intra-organizational application. Currently Shipkart
has three applicationsservices.
● ShipkartPrime
● ShipkartBusiness
● ShipkartCompany

(II) Brokerage services, data or transactionmanagement

Thislayerworksasanintermediarywhoprovidesserviceintegrationbetweencustomers
andinformationproviders,givensomeconstraintsuchaslowprice,fastservicesorprofit
maximization for aclient

Vulnerability Assessment and Penetration Testing Page9of27

(III) Interface and supportlayers

This layer provides interface for e-commerce applications such as interactive catalogs
and directory support. Interactive catalogs provide customized interface to customer
applications whereas directory services have the functions necessary for information
search and access

(IV) Secure messaging, security and electronic documentinterchange

Electronic messaging services like e-mail, enhanced fax and EDI.

(V) Middleware and structured documentinterchange

The middleware services are used to integrate the diversified software programs and
make them talk to one another.

(VI) Network infrastructure and the basic communicationservices

Networkinfrastructureisrequiredforeffectiveandefficientlinkagebetweenthecustomer and
thesupplier.

Vulnerability Assessment and Penetration Testing Page10of27

3. Background
In the 21st century of technological era, there has been a revolution in the way business
is being done. Businesses are now being extensively dependent on the ITinfrastructure.
New and complex Software are coming in the market on a regular basis. This leads to
more and more vulnerabilities in the Systems. A vulnerability is a weakness in the
application which can be an implementation bug or a design flaw that allows an attacker
to cause harm to the user of the application and get extra privileges. Vulnerability is the
potentialriskforthesystem.Attackersusethesevulnerabilitiestoexploitthesystemand get
unauthorized access andinformation.

In order to safeguard from these IT risks, it is better to find out these vulnerabilities in
advancebeforeattackersdo.Thoughitisalmostimpossibletohavea100%vulnerability free
system, by removing as many vulnerabilities as possible, we can increase system
security.

VulnerabilityAssessmentandPenetrationTestingisastep-by-stepprocess.Vulnerability
assessment is the process of scanning the system or software or a network to find out
theweaknessandloopholeinthat.Theseloopholescanprovideabackdoortoattackers to
attack the victim. Penetration testing is the next step after vulnerability assessment.
Penetration testing is to try to exploit the system in an authorized manner to find out the
possible exploits in the system. In penetration testing, the tester intends to exploit the
system and find out possibleexploits.

By using vulnerabilities like SQL injection, CSRF and XSS hacker can compromise
accountorevenservercangetcompromisedintheworstcases.Hackerisabletochange the
http request generated on his computer before transferring to the server. Anattacker
could obtain credit card details, credentials and other sensitive information by exploiting
anumberofvulnerabilities.Theyareallcommon,despitethesecurityfeaturesofmodern
applicationframeworks.Therefore,itisnecessarytogoforVulnerabilityAssessmentand
Penetration Testing of theorganization.

Network system having vulnerabilities may bring a great number of network threats.
These threats include Malware, Viruses, Payloads, Trojan Horses, Spywares, Root kits,
Port Scanning, Social Engineering, MAC Address Spoofing, DoS and DDoS attacks.
ThesethreatscanalsobecategorizedasUntrustedThreats,StructuredThreats,External
ThreatsandInternalThreatsandavastnumberofcyber-attacksotherthanthese.Every attack
has its own potential towards networks. These attacks can take place due to presence
of vulnerabilities in system.

Vulnerability Assessment and Penetration Testing Page11of27

4. Situation
Shipkart is planning to undertake a major change in the system currently deployed. As it is
an e-commerce company highly dependent of the IT infrastructure for its operations, any
vulnerability in the system and information assets will directly affect the business objectives
and the security of its stakeholders in terms of data integrity.

Setting up an E-commerce system is a complex process. It is necessary to be protectedand

customer privacy at the top of your agenda as a Retailer. To maintain the integrity of the E-
commerce system, Penetration Testing becomes inevitable. Internal corporate LAN/WAN
environments are structured to allow users greater amounts of access with fewer security
controls,andthisisexactlywherethesituationbecomesexploitable.Anynetworkdesignflaw or
network and server vulnerabilities can result into exploitable areas which is a target of
hackers.

Penetration Testing or Ethical Hacking is a necessary step in ensuring that an ecommerce

site is not accessible to hackers. The Ethical Hackers intention is to find security weakness,
they attack on servers and find the loopholes. After the penetration testing, a report to enlist
all the weaknesses in application has to be made. This report helps to make Application
completely secure and keep web assets safe.

The objective of pen testing is to ensure:

⦁ Softwarereliability
⦁ Softwarequality
⦁ System Assurance
⦁ Optimum performance and capacityutilization

The vulnerabilities identified in the organization are listed under the following heads:

1. Revenue loss due to improper ordermanagement

2. Leakage of confidential information
3. Cause ReputationalDamage
4. IdentityTheft
5. Discover Sensitive Information while on accessing paymentgateway
6. Weak Password being used in somenetworks
7. Shortcomings in the FirewallSystem
8. Improper SecurityImplementation
9. Vulnerability on the usersend

Vulnerability Assessment and Penetration Testing Page12of27

5. Terms and Scope ofAssignment
Vulnerability Assessment and Penetration Testing should cover the Shipkart’s
Information system infrastructure which includes networking systems, security devices,
Servers,Databases,ApplicationsSystemsaccessiblethroughWAN,LANaswellaswith
public IP’s, websites maintained at Shipkart’sportal.

SSM and Co. should carry out an assessment of threat & vulnerabilities and assess the
risks in Shipkart’s Information Technology Infrastructure. This will include identifying
existingthreatsifanyandsuggestremedialsolutionsandrecommendationsofthesame to
mitigate all identified risks, with the objective of enhancing the security of Information
Systems

For the effective conduct of the assessment, the following terms has been agreed upon
by the management:

● The management shall make available all the information, IT policy documents to
the auditors as and when it is required to beexamined.
● It shall provide the Audit team with unrestricted access for the systems, data
storage and to take any information or to deploy a test package thereon from or
into thesystem.
● Audit team may question or interview any level users of the system on a prior
intimation to gain the feedback and conduct VulnerabilityAssessment.
● The assignment is conducted only to provide observations with regard to the
Vulnerability Assessment and Penetration Testing of thenetwork.

ThePenetrationtestingservicesshouldcombinebothmanualandautomatedtechniques to
ensure Shipkart’s information asset is properly protected and that compliance
requirementsarebeingmet.ThevulnerabilitiesandriskstoShipkartbyperformingareal- world
attack and recommendations should be delivered for remediation with a detailed report
depicting a complete view of IT InfrastructureSecurity.

Vulnerability Assessment and Penetration Testing Page13of27

The scope of the assignment includes vulnerabilities and some flaws which are possible
to attack on E commerce business:

● Identify Vulnerabilities in ordermanagement

● Privacy and data integrity of user’s confidentialinformation
● Identifying vulnerability loopholes on the usersend
● Vulnerabilities infirewalls
● Payment Gateway Integration (PG)Flaws
● Conductingsuitablepenetrationtestingtoreportontheexistingvulnerabilitiesand in
the new system to beimplemented
● Provide recommendations to prevent such vulnerabilities in thesystem.
● Existence of Web ApplicationFirewall
● If it has any system alert for suspicious activity which has not beentested.
● If the company stores sensitive information in the database, especially without
being encrypted then the data can be read from thedatabase.
● Itmaybepossibletousestoredcreditcardsifunauthorizedaccesscanbegained to an
account so the vulnerability can exist anywhere on the site, it doesn’t need to be
on the actual paymentpage.
● Manipulating of the shippingaddress
● Getting refunds even after order has beencancelled.
● Even after cancellation of the order the discounts offered on that product wouldn’t
deduct.
● FlawsrelatedtoCouponandRewardManagement,couponredemptionpossibility
even after order cancellation, able to bypass of coupon’s terms & conditions and
validity. usage of multiple coupons for the same transaction, predictable Coupon
codes.

Vulnerability Assessment and Penetration Testing Page14of27

6. LogisticArrangements
Shipkart shall make available the necessary computer time, software and hardware
resources and support facilities necessary for completing the assignment within the
agreed timeframe.

The IT personnel of the company shall be required to extend full corporation for the
conductofeffectiveassignment.Duringthecourseoftheassignment,wewillrequirethe
followinginfrastructure-

1. Hardware

• Window based Systems, PDA andLaptops

• Printers & other Printingdevices
• Scanners
• Storagemedia

2. SystemSoftware

a. System software must be selected according to client IT environment, so

here we have to select the system software according to the ITenvironment
in the AuditeeOrganization.

b. We used the original licensed version of system software becauseit

maintains the authenticity ofdata.

3. Vulnerability Assessment and Penetration Testingtools

a. Wireshark – The very first step in vulnerability assessment process is to have

a clear picture of what is happening on the network. Wireshark (previously
named Ethereal) works in promiscuous mode to capture all traffic of a TCP
broadcastdomain.
b. Intruder:Anautomatedonlinewebvulnerabilityassessmenttool,thatidentifies a
wide range ofthreats.
c. Metasploit: A robust framework with pre-packaged exploits code. It is
supported by the Metasploit project with information on a massive number of
vulnerabilities and theirexploits.
d. Nessus: An open-source online vulnerability and configuration scanner for IT
infrastructure.

Vulnerability Assessment and Penetration Testing Page15of27

 We used the original licensed version of system software because it maintains the
authenticity of data. The tools as discussed above help perform Vulnerability
Assessment and Penetration Testing (VAPT).

4. Others

a. Temporary User ID and Password for conducting Vulnerability Assessment

through white boxapproach

b. One of the fully functional laptops provided by the company to its employees
for assessment of Vulnerability in the hardware and otherresources

c. Adequate seating and storage space for theteam

d. Facilities for discussions amongst our team and company’s designatedstaff

e. Transport facilities to the headquarters and other suchrequirements

Vulnerability Assessment and Penetration Testing Page16of27

7. Methodology and Strategy adapted for execution
ofassignment
Audit Approach

Our approach to the assignment would be as follows:

● Weproposetodeployacoreteamof4to6vulnerabilityassessmentpersonnelfor this
assignment in batches of 2 to 3 as per the skill sets required, under the personal
direction and liaison of apartner.
● Shipkart should designate a person at a senior level to coordinate withus.
● Shipkart should also depute one personnel each fromsystem.
● Detailedsystematicauditprocedureswouldbefinalizedaftercompletingreviewof the
documentation and discussion with the systems staff and theusers.
● In tune with terms and scope of reference of the assignment, we will follow black
box, grey box and white box approach to identify vulnerabilities in thesystem.
● With the help of various tools, we would conduct penetration testing on the
vulnerabilitiesidentified.

Structured Methodology

The above-mentioned objectives shall be achieved through the following structured

methodology

● Obtain understanding of IT Resources deployment atShipkart

● Obtain understanding of the IT Strategy and internal controlsystem
● Formulation of draft assessment plan covering our review andtesting
● Use tools to conduct vulnerability assessment and penetrationtesting
● Presentationoffinalreportwithagreedactionplanbasedonresultsobtainedfrom the
assessment and testingconducted

Shipkart shall make available all the required resources on time and provide one
coordinator for interaction and clarifications as required.

Audit plan

Vulnerability Assessment and Penetration Testing Page17of27

The audit plan would cover the following activities:

Discussions with the following Teams: -

1. Software development and life cycle (SDLC)team

2. Systems\ImplementationTeam
3. Users and usermanagement
4. Review of Operating Systems (OS)documentation
5. Examination of OS accessrights
6. Examination of selected Module’s access profiles
7. Observation of the Users and the systems inoperation
8. Review of access controls over Computers asrelevant
9. Examination of computerized processing controls incorporated within the selected
modules.
10. Identify vulnerability and conduct penetration testing with the help oftools

Audit Program\procedures

Our audit team would follow programs\procedures as mentioned below:

1. Undertakeanin-depthstudyandanalysisofallaspectsofthenewsystemtobe
implemented. In doing so, the following objectives would be kept in mind while
setting the overallgoals:
● Identify vulnerability in the new system to be implemented with respect to
operational, security, confidentiality of the business.
● Identify vulnerability based on user experience and on the userend.
● Conduct penetration testing on the vulnerabilityidentified.
● Exposure in terms of financial and data security while conducting penetration
testing.

2. Conducting vulnerabilityassessment

The VAPT Techniques to be used by us are as follows:

● Static Analysis- In this technique we do not execute any test case or exploit. We
analyzethecodestructureandcontentsofthesystem.Withthistechniquewecan find
out about all types of vulnerabilities. In this technique we do not exploit the
system, so there would be no bad effect of this testing on thesystem.
● Manual Testing- In this technique, we do not require any tool or any software to
find out vulnerabilities. This tester uses his own knowledge and experience tofind
outthevulnerabilitiesinthesystem.Thistestingcanbeperformedwithaprepared
testplan(Systematicmanualtesting)orwithoutanytestplan(Exploratorymanual
testing).

Vulnerability Assessment and Penetration Testing Page18of27

 ● Automated Testing- In automated testing technique we use automated
vulnerability testing tools to find vulnerabilities in the system. These tools execute
all the test cases to find out vulnerabilities. This reduces the men-hours and time
required to perform testing. Because of the tool, repeated testing can also be
performed veryeasily.
● FuzzTesting-Thisisalsoknownasfuzzing.InthisweinputinvalidoranyRandom
Dataintothesystemandthenlookforcrashesandfailures.Thisislikerobustness
testing. This technique can be applied with very less human interaction. This
technique can be used to find out zero-dayvulnerability.

3. Penetration TestingTechniques

● BlackBoxTesting:Inthistechnique,thetesterdoesnothaveanypriorknowledge of the
network architecture or systems of the testing network. Usually black box testing
is performed from external network to internal network. Tester has to use his
expertise and skills to perform thistesting.
● GreyBoxTesting:Inthistechnique,thetesterhavesomepartialknowledgeofthe testing
network. Tester do not have knowledge of complete network architecture, but he
know some basic information of testing network and system configuration.
Actually, Grey box testing is the combination of both the other techniques. This
can be perform from internal or externalnetwork.
● WhiteBoxTesting:Testershavecompleteknowledgeofthenetworkconfiguration of
the testing network and the system configuration of the testingnetwork/system.
Usually this testing is perform from the internal network. White box testing require
deep understanding of the testing network or system and gives betterresults.

Vulnerability Assessment and Penetration Testing Page19of27

8. DocumentsReviewed:
During the course of audit, the following documents were reviewed as required by our
team:

● Organizational StructurePolicy
● Information SecurityPolicy
● Network SecurityPolicy
● Remote AccessPolicy
● Internet AccessPolicy
● Password ManagementPolicy
● Privacy And ConfidentialityPolicy
● Ethical Standards
● Incidence occurrence and Responseregister
● Business ContinuityPlan
● Backup And RetrievalPolicy
● User creation modification and deletionpolicy
● Encryption policy andprocedures
● Risk AssessmentPolicy
● Document related to Organization chart & hierarchy and jobresponsibility
● Access matrix circulars, guidelines issued toemployees
● Findings report of Internal Auditdepartment
● Physical Access ControlPolicy
● Logical Access ControlPolicy
● Software LicenseManagement
● Roles And ResponsiblePolicy

Vulnerability Assessment and Penetration Testing Page20of27

9. References
Following are the references, we have studied and followed for conducting network
security audit of remote operations including work from home:

1. Background material issued by the Institute of Chartered Accountants of India for

Information Systems Audit 3.0 course.
2. IS Audit and Assurance Standards issued byISACA.
3. www.ISACA.org
4. tech-talk.org
5. www.cyberdefensemagazine.com
6. Security policy for theOrganization
7. https://en.wikipedia.org/wiki/E-commerce
8. www.guru99.com
9. www.firewall.firm.in
10. www.securitybrigade.com
11. www.vapt.in
12. www.veracode.com
13. www.redscan.com
14. www.valencynetworks.com

Vulnerability Assessment and Penetration Testing Page21of27

10. Deliverables
Afterevaluationoftheauditeeenvironmentandassessmentofsystemsforvulnerabilities, we
identified several areas which require attention of the management for providing a
secured working environment so that the work can remain unaffected from external and
internal risks. And be less prone to malicious attacks. In the process, we prepared the
VAPT report and shared it with the management for their comments. Report includes
executivesummaryoftheobservationsmadeduringtheauditalong-withdetailedfindings
andrecommendationsthereon,tocorrectorpreventtheunderlyingvulnerabilities,asthe case
maybe.

We shall also provide

• Guidelinesthatassistprotectionofconfidentiality,availability,andintegrityofdata
ofShipkart,identifyingspecificareasofimprovementensuringthattheinformation
systems implemented provide a safe and secure computingenvironment.
• Providing specific recommendation on security control, regular check, follow up
and best practices, which can be adaptive by Shipkart asapplicable.
• Providing key issue identifying areas of control weakness in the security control
implemented with recommendation forImprovement.

Vulnerability Assessment and Penetration Testing Page22of27

11. Format of Report/ Findings andrecommendations

(I) EXECUTIVESUMMARY

Our vulnerability assessment and penetration testing determinedthat

● The new system to be implemented has many benefits in terms of user experience,
load capacity, data management, and lesser lagtime.
● However, we have come across many vulnerabilities in the existing and new system
which needs to becorrected.
● Major vulnerabilities had been noticed in the system programming of the operational
end which may lead to huge revenue loss once explored byattackers.
● Othermajorvulnerabilitieshavebeenidentifiedonthesecurityandconfidentialityend.
ThesevulnerabilitiesifexploitedcanhaveahugeimpactonthereputationofShipkart.
● Wehaveprovidedourrecommendationsconsideringthevulnerabilitiesidentifiedand also
the exposure it can have. We have also provided the approximate time which may
be required to fix thevulnerabilities.

Vulnerability Assessment and Penetration Testing Page23of27

(II) OBSERVATION ANDRECOMMENDATIONS

S. Vulnerabilities Description Recommendations Risk

No. and assessment
Observation
1 Revenue • Applicability • While High
loss ofmultiple conductingVulnerability
due offersforone Assessment and
toimproperorder transaction PenetrationTesting, we
management • Getting refunds identified this vulnerability
even after has a huge exposure to
orderhasbeencancel revenuelosswhen
led identifiedbyusers/attackers.
• Even • This deficiency identified is
aftercancellation due to flaw
oftheorder intheprogramming
thediscountsoffered logicandneeds to be
onthatproduct corrected. If
wouldn’t deduct notcorrected,thismaylead
• Flaws to further revenueleakage.
relatedtoCoupon • Shipkart needs to fix the
andRewardManage flaw of coupon codes
ment being predicted by users
• Bypass by changing thealgorithm.
ofcoupon’svalidity
date
• Illegitimate usage of
coupons
withotherproducts
• Wrongproductsbeing
exchangedon
exchange requests

Vulnerability Assessment and Penetration Testing Page24of27

 2 Security • Manipulation • Through the penetration High
Implementation ofpriceduring testing it was identified that
orderplacement attackers could manipulate
• Orders shipped to the price during order
unauthorized placement with the help of
persons malware. It is important to
• Open Ports in the ensure strong malware
system projection software to be
• Old User introduced to
profilesnotdeleted reducesuchvulnerabilities
insystem • System checks
shouldbeincorporated so
that the delivery of orders
is made to authorized
personal only. i.e.,
implement system
generated one time
password before
deliveryoforders
• Leaving standard portsin
the system open to the
internet can invite attack.

Vulnerability Assessment and Penetration Testing Page25of27

 • A Firewall can be
usedonthe server
• User accounts
shouldbeaudited frequently
to make sure
thatappropriateaccess to
databaseserversand
objects is enabled,and old
user profiles
shouldbeeither
inactivatedor
deleted.
3 Vulnerability on • Weakpasswordssetu • These can be Medium
the users end p by solvedbyimplementing
theusersvulnerable controlssuch as
tounauthorizedacces somespecifiedcharacters
s shouldbemandatorily used
• Connecting to while creatingpasswords.
unsecured Wi-Fi • Educating the users of the
hotspots vulnerabilities
• Not ofconnecting to unsecured
balancingsecurity Wi-Fi hotspots and
withconvenience balancing security with
convenience.

4 Vulnerabilities A firewall vulnerability ICMP allowed should Medium

in firewall is defined as an error berestricted
made during firewall Unnecessarily open
design, TCPandUDP ports should be
implementation, closed. Trust or unrestricted
orconfiguration, access to certain
thatcanbe exploited IP
toattackthe trusted addressesshould
networkthat berestricted
the firewall is Web Application Firewall shall
supposed to protect be installed.

Vulnerability Assessment and Penetration Testing Page26of27

 5 Discovery Ithasbeennoticedthat It is highly recommended to High
of even though immediately that save the
sensitive thecarddetails sensitive data of the
information ofthecustomers customers in encrypted form.
vulnerable aresecuredand Any report of unauthorized
to areencrypted.However used of these data by the
attack ,paymentsmade employees are attackers will
throughothermodes directly cause reputational
such as mobile wallets damage
and UPIaremaintained
in plain text.
Thesearesensitive
informationof the
customers andis
vulnerable byattackers

Vulnerability Assessment and Penetration Testing Page27of27

 6 Encryption Encryption hides the Correctly implement Medium
inappropriately data or connection DBServerencrypt
applied information in DB ion.
Server.
The data
ofthecustomers
suchas
Name, ContactDetails
7 Weak or Default In somenetworks,weak Strong, Low
Passwords ordefaultpasswords ComplexPasswordsshould be
were used, as per the policy, which
observed.
exists forhaving a strong
password. Default
Passwords shall bechanged.
8 Insecure There are a • Ensure that High
Configuration numberofSSL/TLS- SSLenabledservices use
SSL/TLS, SSH related items which valid SSL certificates.
need • Do not allow SSLv2 and
tobeaddressed.Thesei SSLv3 connections.
ssuesprimarilyfallinto Restrict access to TLS 1.2
either ifpossible.
theweakencryption • Remove support for weak
oridentityspoofingcateg cryptographic ciphers and
ories.While weak key strengthciphers
theseissuesgenerally
requireaconcerted
andoftenlong-term
effort on the part of an
attacker, they are still
possible ways in
whichsensitive
information may be
leaked/compromised

Vulnerability Assessment and Penetration Testing Page28of27

12. Summary/Conclusion
During the course of assessment, we mainly emphasized on and vulnerability and pen
testing that provide security and ethical way to evaluate and determined the system and
network weakness and flaws. Missing patches, weak or default passwords, opened
unnecessary ports, miss configured firewalls and other networking devices, mobile and
USB devices are common vulnerabilities, so penetration testing first points out these
vulnerabilities. Penetration testing can be performed externally and internally among
three types as Black Box, White Box and Grey Box in a number of defined phases
includes Planning, Reconnaissance, Exploration, Vulnerabilities Assessment,
Exploitation, Reporting and Recommendation. Penetration testing is similar in sense of
hacking process hence penetration testing is legal while hacking is illegal. Penetration
testing is observed upon the demand of owner whereas hacking is getting in networks
illegally and is a crime. Hence penetration testers are hoped to be ethical which
conducting tests. Vulnerability management consists of process named as Discover,
Prioritize Assets, Assessment, Reporting, Remediating, and to verification that
vulnerabilities have been eliminated.

On our assessment of the systems, it was found out that the network tested was not
secured in a manner aligned with good practices. There were a number of issues
identified that negatively impact the security posture of the organisation. The description
of the same and recommendation on how these can be minimised has been reported.

As IT plays an important role in achieving sustainable development, it also needs to be

tested periodically for any vulnerabilities and pen test the vulnerabilities so that
confidentiality, integrity, availability of system and information is preserved and to make
thesystemlesspronetomaliciousattacks.FurtherduringVAPTitwasfoundthatsystem
hassomeoftheareasofconcernsvulnerable toattacksthatcouldbeexploitedtocause
damageorallowanattackertomanipulatethesysteminsomeway,whichmayaffectthe
organisation.Moreover,criticalareascoveringsecurityoftheinformationanddata,order
management, firewalls and encryption policies were vulnerable to attacks. Our findings
and recommendations through VAPT will surely help the organisation to minimise the
vulnerabilities, to secure its network and to take correctiveactions.

Vulnerability Assessment and Penetration Testing Page29of27