Scribd Logo
Upload

Welcome to Scribd!

  • Week 2 Penetration Testing Report

    Uploaded by

    Jithukrishnan v
    85 views6 pages
    The penetration testing report summarizes a black box security assessment of the Week {2} Labs. It identifies {1} high, {3} medium, and {4} low vulnerabilities. High vulnerabilities include {Encode IT!} and involve clickjacking and HTML injection issues. Suggested countermeasures like content security policy headers are provided. Screenshots of vulnerabilities like {Let's Hijack!} are included as proof of concept. The report scope covers {HTML INJECTION} and {ClickJacking} applications and sub-labs are assessed for risks.

    Original Description:

    Happened

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The penetration testing report summarizes a black box security assessment of the Week {2} Labs. It identifies {1} high, {3} medium, and {4} low vulnerabilities. High vulnerabilities include {Encode IT!} and involve clickjacking and HTML injection issues. Suggested countermeasures like content security policy headers are provided. Screenshots of vulnerabilities like {Let's Hijack!} are included as proof of concept. The report scope covers {HTML INJECTION} and {ClickJacking} applications and sub-labs are assessed for risks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    85 views6 pages

    Week 2 Penetration Testing Report

    Uploaded by

    Jithukrishnan v
    The penetration testing report summarizes a black box security assessment of the Week {2} Labs. It identifies {1} high, {3} medium, and {4} low vulnerabilities. High vulnerabilities include {Encode IT!} and involve clickjacking and HTML injection issues. Suggested countermeasures like content security policy headers are provided. Screenshots of vulnerabilities like {Let's Hijack!} are included as proof of concept. The report scope covers {HTML INJECTION} and {ClickJacking} applications and sub-labs are assessed for risks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Week {2}

    Penetration Testing Report

    Introduction
    This report document hereby describes the proceedings and results of a Black Box security
    assessment conducted against the Week {2} Labs. The report hereby lists the findings and
    corresponding best practice mitigation actions and recommendations.

    1. Objective
    The objective of the assessment was to uncover vulnerabilities in the Week {2} Labs and
    provide a final security assessment report comprising vulnerabilities, remediation strategy
    and recommendation guidelines to help mitigate the identified vulnerabilities and risks
    during the activity.

    2. Scope
    This section defines the scope and boundaries of the project.

    Application {HTML INJECTION}, {ClickJacking}


    Name

    3. Summary
    Outlined is a Black Box Application Security assessment for the Week {2} Labs.

    Total number of Sub-labs: {count} Sub-labs

    High Medium Low

    {1} {3} {4}

    High - Encode IT! ,

    Medium - File Content And HTML Injection A Perfect Pair!, Injecting HTML Using
    URL,Re-Hijack!

    Low - HTML's Are Easy, Let Me Store Them! , File Names Are Also Vulnerable!
    ,Let's Hijack!
    1. {Click Jacking}
    1.1. {Let's Hijack!}
    Reference Risk Rating
    {Lets hijack} Low
    Tools Used
    Security headers
    Vulnerability Description
    Clickjacking, also known as a “UI redress attack” is an interface-based attack in which a user is
    tricked into clicking on actionable content on a hidden website by clicking on some other content
    in a decoy website. In simple words, an attacker uses multiple transparent or opaque layers to
    trick a user into clicking on a button or link on another page when they were intending to click
    on the top level page.

    How It Was Discovered


    Automated Tools
    Vulnerable URLs
    https://www.bugbountyhunter.org/internship_labs/HTML/clickjacking_lab/lab_2/lab_2.php
    Consequences of not Fixing the Issue
    Attackers may abuse clickjacking vulnerabilities for many different purposes:
    To gain followers on social media and then, possibly, sell the social media account/page for
    mass marketing.

    Suggested Countermeasures
    Content Security Policy (CSP)
    References
    https://owasp.org/www-community/attacks/Clickjacking

    Proof of Concept
    This section contains the proof of the above vulnerabilities as the screenshot of the
    vulnerability of the lab

    1.2. {Re-Hijack!}
    Reference Risk Rating
    {Re-Hijack!} Medium
    Tools Used
    hacktify labs
    Vulnerability Description
    Clickjacking, also known as a “UI redress attack” is an interface-based attack in which a user is
    tricked into clicking on actionable content on a hidden website by clicking on some other content
    in a decoy website.
    How It Was Discovered
    Automated Tools
    Vulnerable URLs
    https://owasp.org/www-community/attacks/Clickjacking
    Consequences of not Fixing the Issue
    What will be the consequences if the vulnerability is not patched?
    Suggested Countermeasures
    Attackers may abuse clickjacking vulnerabilities for many different purposes:
    To gain followers on social media and then, possibly, sell the social media account/page for
    mass marketing.

    References
    https://owasp.org/www-community/attacks/Clickjacking
    Proof of Concept

    2. {HTML Injection )}
    2.1. {Sub-lab-1 Name}
    Reference Risk Rating
    {HTML's Are Easy!} Low
    Tools Used
    hacktify labs
    Vulnerability Description
    HTML stands for Hypertext Markup Language.It is a standard markup language for web pages.
    Collection of web pages makes a website. HTML elements are represented by <> tags. Where
    each tag has a different working.

    How It Was Discovered


    Automated Tools
    Vulnerable URLs
    https://www.imperva.com/learn/application-security/html-
    Consequences of not Fixing the Issue
    Attacker discovers injection vulnerability and decides to use an HTML injection attack
    Attacker crafts malicious link, including his injected HTML content, and sends it to a user
    via email
    The user visits the page due to the page being located within a trusted domain
    Suggested Countermeasures
    Give some Suggestions to stand against this vulnerability
    References
    Every input should be checked if it contains any script code or any HTML code. One should
    check, if the code contains any special script or HTML brackets – <script></script>, <html>
    </html>.
    There are many functions for checking if the code contains any special brackets. The
    selection of the checking function depends on the programming language that you are using.

    Proof of Concept

    NOTES:

    ● Everything mentioned inside {} has to be changed based on your week, labs and
    sub-labs.
    ● If you have 2 labs in same week you need to mention that, if not ignore those
    mentions for lab 2.
    ● Here it is given with 2 Sub-labs vulnerability, you need to add all the sub-labs based
    on your labs.
    ● Don’t forget to add the screenshot of the vulnerability in the proof of concept.
    ● Add only 1 screenshot in the Proof of Concept section.
    ● This NOTE session is only for your reference, don’t forget to delete this in the
    report you submit.

    You might also like