Cyberdin-Example Report

Find the vulnerabilities before hackers do. Always be a few steps ahead.
Cyberdin
Web Application Penetration Test Report
CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Introduction
This report holds the results of a web application security scan performed on the
Test-Website.com application.
CYBERDIN provides customized security solutions to support the integrity of

your environment. These assessments aim to unconver any security issues in the
scanned web application, explain the impact and risks associated with the found
issues, and provide guidance in the prioritization and remediation steps.
Using CYBERDIN services, you can identify security holes in Web Applications
and Network based systems.
CYBERDIN was not provided with access credentials for the application and an
overview of the application.
This report relates to the testing against the Test-Website.com application from
the perspective of an unauthorized attacker.

Executive Summery
URL / IP: Test-Website.com

Check Type: Web Application
Check schedule: Single Check
CYBERDIN Threat Level: 5

The systems exposed to critical vulnerabilities.
Malicious user can exploit existing vulnerabilities and
perform hostile operations.

Vulnerability Severity Security Risk Recommendation More Info
SQL Injection Critical It is possible to execute SQL Parameterized statements must be used. http://en.wikipedia.org/
commands on the SQL Server thru User input must be carefully escaped or wiki/SQL_injection
the application. filtered.
eShoplifting High It is possible to steal goods or Do not relay on the client side parameters http://en.wikipedia.org/
services. for price calculations. Do not use Base- wiki/Shoplifting
64 for encoding price information.
Blind SQL High It is possible to execute SQL User input must not directly be embedded http://en.wikipedia.org/
Injection commands on the SQL Server thru in SQL statements. Instead, wiki/SQL_injection
the application. parameterized statements must be used.
User input must be carefully escaped or
filtered.
Cross Side High It is possible to steal or manipulate There are several issues whose http://en.wikipedia.org/
Scripting (XSS) customer session and cookies, which remediation lies in sanitizing user input. wiki/Cross-
may be used to impersonate a site_scripting
legitimate user.
LDAP Injection High This could result in the execution of There are several issues whose http://www.blackhat.co
arbitrary commands such as granting remediation lies in sanitizing user input. m/presentations/LDAP.
permissions to unauthorized users, pdf
and content modifications.
CAPTCHA Medium Could allow a remote attacker to Upgrade to newer version (if exists). http://www.cs.sfu.ca/~m
Bypass bypass the CAPTCHA Captcha image should be distorted, and ori/research/gimpy/
implementation, thus undermining cluttered and with textured background.
http://www.owasp.org/i
the security benefit of the The distortion and clutter is sufficient to
ndex.php/Testing_for_C
CAPTCHA technology. confuse OCR (optical character aptcha_(OWASP-AT-
recognition) software. 008)
Cross Site Medium Http Track & Trace enabled on the Disable the HTTP TRACE method in http://www.kb.cert.org/
Tracing web server. It is possible to steal or your web server. vuls/id/867593
manipulate customer session and
cookies, which may be used to
impersonate a legitimate user.
Application Low It is possible to gather sensitive Use generic error displaying. Use try and http://www.owasp.org/i
Errors debugging information. The attacker catch blocks. ndex.php/Missing_Error
can gain useful information from the _Handling
application's responses.
Hidden Informational It is possible to retrieve information If the forbidden resource is not required,
Directory about the site's file system structure, remove it from the site.
which may help the attacker to map
the web site.

Performed Attacks List

A L
 Account lockout attack  LDAP injection
 Asymmetric resource consumption
M
B
 Man-in-the-middle attack
 Blind SQL Injection
 Blind XPath Injection O
 Brute force attack
 Buffer overflow attack  Overflow Binary Resource File
C P
 CSRF  Parameter Delimiter
 Cache Poisoning  Path Traversal
 Command Injection
 Cross Site Tracing
 Cross-Site Request Forgery (CSRF)
R
 Cross-site Scripting (XSS)
 Resource Injection
 Cryptanalysis
D S
 SQL Injection
 Denial of Service
 Server-Side Includes (SSI) Injection
 Direct Dynamic Code Evaluation
 Session Prediction
('Eval Injection')
 Session fixation
 Double Encoding
 Session hijacking attack
F
U
 Forced browsing
 Unicode Encoding
 Format string attack
 Full Path Disclosure
W
H
 Web Parameter Tampering
 HTTP Request Smuggling
 HTTP Response Splitting X
 XPATH Injection

Performed Tests List

Information Gathering Authentication Testing
 Spiders, Robots and Crawlers  Credentials transport over an encrypted

 Search Engine channel
Discovery/Reconnaissance  User enumeration
 Identify application entry points  Guessable (Dictionary) User Account
 Testing for Web Application  Brute Force Testing
Fingerprint  Bypassing authentication schema
 Application Discovery  Vulnerable remember password and
 Analysis of Error Codes password reset
 Logout and Browser Cache
Configuration Management Testing Management
 Weak Captcha implementation
 SSL/TLS Testing (SSL Version,  Multiple Factors Authentication
Algorithms, Key length, Digital Cert.
Validity) Session Management
 DB Listener Testing
 Infrastructure Configuration  Bypassing Session Management
Management Testing Schema (Weaknesses in Session
 Application Configuration Token)
Management Testing  Testing for Cookies attributes (‘HTTP
 File Extensions Handling Only’, ‘Secure’, and time validity)
 Old, backup and unreferenced files  Session Fixation
 Infrastructure and Application  Exposed Session Variables
Admin Interfaces  CSRF – Cross Site Request Forgery
 HTTP Methods and XST (Cross Site
Tracing) Authorization Testing
 Path Traversal
 Bypassing authorization schema
 Privilege Escalation

Business logic testing Denial of Service Testing
 Bypassing Business Logic  SQL Wildcard Attacks

 Locking Customer Accounts
Data Validation Testing  DoS using Buffer Overflow
 User Specified Object Allocation
 Reflected Cross Site Scripting  User Input as a Loop Counter
 Stored Cross Site Scripting  Writing User Provided Data to Disk
 DOM based Cross Site Scripting  Failure to Release Resources
 Cross Site Flashing  Storing too Much Data in Session
 SQL Injection
 LDAP Injection Web Services Testing
 ORM Injection
 XML Injection  WS Information Gathering
 SSI Injection  Testing WSDL Weakness
 XPath Injection  XML Structural Testing
 IMAP/SMTP Injection  XML content-level Testing
 Code Injection  HTTP GET parameters/REST Testing
 OS Commanding  Naughty SOAP attachments
 Buffer overflow  Replay Testing
 Incubated vulnerability
 HTTP Splitting/Smuggling Ajax Testing
 AJAX Vulnerabilities
 AJAX Testing

Detailed Report
SQL Injection Vulnerability
Severity: Critical
Security Risk: It is possible to execute SQL commands on the SQL

Server thru the application.
Recommendation: User input must not directly be embedded in SQL

statements. Instead, parameterized statements must be
used. User input must be carefully escaped or filtered.
More Info: http://en.wikipedia.org/wiki/SQL_injection
Get Requests:
http://www.Test-Website.com/Products.aspx?item=1'%20having%201=1--
http://www.Test-Website.com/Products.aspx?cat=1%a5'%20having%201=1--
http://www.Test-Website.com/List-Products.aspx?prod=%00'
http://www.Test-Website.com/List-Products.aspx?cat=1'
http://www.Test-Website.com/Members.aspx?userid= \'
Server Response:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the
select list if the statement contains a UNION operator.
/Products.aspx, line 5

eShoplifting Vulnerability
Severity: High
Security Risk: It is possible to steal goods or services.
Recommendation: Do not relay on the client side parameters for price

calculations. Do not use Base-64 for encoding price
information.
More Info: http://en.wikipedia.org/wiki/Shoplifting
Post Requests & Server Response:

Blind SQL Injection Vulnerability
Severity: High
Security Risk: It is possible to execute SQL commands on the SQL

Server thru the application.
Recommendation: User input must not directly be embedded in SQL

statements. Instead, parameterized statements must be
used. User input must be carefully escaped or filtered.
More Info: http://en.wikipedia.org/wiki/SQL_injection
Post Requests:
POST /Members/account.aspx HTTP/1.0
listAccounts=1001160141+and+1=1
POST /Members/account.aspx HTTP/1.0
listAccounts=1001160141+and+1=2
Server Response:
The resulting test responses show that requests containing conditions with the same logical
values were identical to the original valid response, and the responses with different values
were not. This indicates that an SQL query is being executed at the back-end database, and that
the injected values affect the original query.

Cross Side Scripting (XSS) Vulnerability
Severity: High
Security Risk: It is possible to steal or manipulate customer session

and cookies, which may be used to impersonate a
legitimate user.
Recommendation: There are several issues whose remediation lies in

sanitizing user input.
By verifying that user input does not contain hazardous
characters, it is possible to prevent malicious users
from causing your application to execute unintended
JavaScript code.
More Info: http://en.wikipedia.org/wiki/Cross-site_scripting
Get & Post Requests:

http://www. www.Test-
Website.com/Search.aspx?test=%3E%22%27%3E%3Cscript%3Ealert%281491%29%3C%2Fscript%3E
http:// www.Test-Website.com/Resource/controller.swf?onend=javascript:alert(XSS)//
POST /members.aspx HTTP/1.0
name=anonymous+user&text=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x6
1;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(50
108)>&submit=add+message
POST /search.aspx?test=query HTTP/1.0

searchFor=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%2
6%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(100783)>&goButton=
go

POST /secured/newuser.apsx HTTP/1.0

uuname=</TextArea><script>alert(50108)</script>&upass=&upass2=&urname=&ucc=1234&uemail=ab
c123%40acme-hackme.com&uphone=555-555-5555&uaddress=753+Main+Street&signup=signup
POST /List-Products.aspx?cat=1 HTTP/1.0

searchFor=</title><ScRiPt%20%0a%0d>alert(400163922725)%3B</ScRiPt>&goButton=go

LDAP Injection Vulnerability
Severity: High
Security Risk: This could result in the execution of arbitrary

commands such as granting permissions to
unauthorized users, and content modification inside the
LDAP tree.
Recommendation: Use input validation. The underlying code needs to

verify the correct input using a white list and regular
expression. Verify that the input is validated and that
there is not the ability to inject additional LDAP
information, especially the () | * characters.
More Info: http://www.blackhat.com/presentations/LDAP.pdf
Post Requests:
POST /Members.aspx
uid=admin)(&))&password=pwd
Server Response:
Authentication bypasses using LDAP injection on the “uid” parameter.

CAPTCHA Bypass Vulnerability
Severity: Medium
Security Risk: Could allow a remote attacker to bypass the

CAPTCHA implementation, thus undermining the
security benefit of the CAPTCHA technology.
Recommendation: Upgrade to newer version (if exists). Captcha image

should be distorted, and cluttered and with textured
background. The distortion and clutter is sufficient to
confuse OCR (optical character recognition) software.
More Info: http://www.cs.sfu.ca/~mori/research/gimpy/
http://www.owasp.org/index.php/Testing_for_Captcha
_(OWASP-AT-008)
Post Requests:
POST /Members.aspx
uid=CYBERDIN&password=InfoSeCheck.com&captchaImage=agos 12F

Cross Site Tracing Vulnerability
Severity: Medium
Security Risk: Http Track & Trace enabled on the web server. It is
possible to steal or manipulate customer session and
cookies, which may be used to impersonate a
legitimate user.
Recommendation: Disable the HTTP TRACE method in your web server.
More Info: http://www.kb.cert.org/vuls/id/867593
Test Requests:
TRACE /CYBERDIN-HTTP_Track_Vuln HTTP/1.0
Server Response:
HTTP/1.1 200 OK
Connection: close
Content-Type: message/http
TRACE / CYBERDIN-HTTP_Track_Vuln HTTP/1.0

Application Errors
Severity: Low
Security Risk: It is possible to gather sensitive debugging

information. The attacker can gain useful information
from the application's responses.
Recommendation: Use generic error displaying. Use try and catch blocks.
More Info: http://www.owasp.org/index.php/Missing_Error_Handling
Post Requests:
POST /Members.aspx
uid='0x%0a&password=CYBERDIN_Technologies
Server Response:

Hidden Directory Detected
Severity: Informational
Security Risk: It is possible to retrieve information about the site's file

system structure, which may help the attacker to map
the web site.
Recommendation: If the forbidden resource is not required, remove it

from the site. Website's Back-Office should be
restricted to specific IP's.
Get Requests:
GET /admin/ HTTP/1.0
Server Response:
HTTP/1.1 403 Forbidden

Password Input with Auto-Complete Enabled
Severity: Informational
Security Risk: Stored passwords can be extracted from local browser

and exposed to hostile use.
Recommendation: Password Auto-Complete property should be disabled.

You may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
More Info: http://msdn.microsoft.com/en-us/library/ms533032(VS.85).aspx
Get Requests:
Get /Members.aspx
Server Response:
HTTP/1.1 200 OK

Appendix 1
Special (dangerous) Characters List:
It is advised to filter out all the following characters:
[1] |
[2] & [15] 0x0d
[3] ; [16] ,
[4] $ [17] \
[5] % [18] ~
[6] @ [19] #
[7] ' [20] ^
[8] " [21] *
[9] \ [22] _
[10] > and < [23] } and {
[11] ) and ( [24] ] and [
[12] + [25] =
[13] 0x00 [26] -
[14] 0x0a [27] `

Cyberdin-Example Report

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberdin-Example Report

Uploaded by

Copyright:

Available Formats

Find the vulnerabilities before hackers do. Always be a few steps ahead.

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

CYBERDIN provides customized security solutions to support the integrity of

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

URL / IP: Test-Website.com

CYBERDIN Threat Level: 5

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Vulnerability Severity Security Risk Recommendation More Info

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Performed Attacks List

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Performed Tests List

 Spiders, Robots and Crawlers  Credentials transport over an encrypted

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Business logic testing Denial of Service Testing

 Bypassing Business Logic  SQL Wildcard Attacks

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Security Risk: It is possible to execute SQL commands on the SQL

Recommendation: User input must not directly be embedded in SQL

More Info: http://en.wikipedia.org/wiki/SQL_injection

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Security Risk: It is possible to steal goods or services.

Recommendation: Do not relay on the client side parameters for price

More Info: http://en.wikipedia.org/wiki/Shoplifting

Post Requests & Server Response:

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Blind SQL Injection Vulnerability

Security Risk: It is possible to execute SQL commands on the SQL

Recommendation: User input must not directly be embedded in SQL

More Info: http://en.wikipedia.org/wiki/SQL_injection

POST /Members/account.aspx HTTP/1.0

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Cross Side Scripting (XSS) Vulnerability

Security Risk: It is possible to steal or manipulate customer session

Recommendation: There are several issues whose remediation lies in

More Info: http://en.wikipedia.org/wiki/Cross-site_scripting

Get & Post Requests:

POST /members.aspx HTTP/1.0

POST /search.aspx?test=query HTTP/1.0

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

POST /secured/newuser.apsx HTTP/1.0

POST /List-Products.aspx?cat=1 HTTP/1.0

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

LDAP Injection Vulnerability

Security Risk: This could result in the execution of arbitrary

Recommendation: Use input validation. The underlying code needs to

More Info: http://www.blackhat.com/presentations/LDAP.pdf

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

CAPTCHA Bypass Vulnerability

Security Risk: Could allow a remote attacker to bypass the

Recommendation: Upgrade to newer version (if exists). Captcha image

More Info: http://www.cs.sfu.ca/~mori/research/gimpy/

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Cross Site Tracing Vulnerability

Recommendation: Disable the HTTP TRACE method in your web server.

More Info: http://www.kb.cert.org/vuls/id/867593

TRACE / CYBERDIN-HTTP_Track_Vuln HTTP/1.0

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Security Risk: It is possible to gather sensitive debugging

More Info: http://www.owasp.org/index.php/Missing_Error_Handling

CYBERDIN © 2010-2012 All Rights Reserved contact@cyberdin.com | www.cyberdin.com

Hidden Directory Detected

Security Risk: It is possible to retrieve information about the site's file