Professional Documents
Culture Documents
Cyberdin
Web Application Penetration Test Report
Introduction
This report holds the results of a web application security scan performed on the
Test-Website.com application.
Using CYBERDIN services, you can identify security holes in Web Applications
and Network based systems.
CYBERDIN was not provided with access credentials for the application and an
overview of the application.
This report relates to the testing against the Test-Website.com application from
the perspective of an unauthorized attacker.
Executive Summery
SQL Injection Critical It is possible to execute SQL Parameterized statements must be used. http://en.wikipedia.org/
commands on the SQL Server thru User input must be carefully escaped or wiki/SQL_injection
the application. filtered.
eShoplifting High It is possible to steal goods or Do not relay on the client side parameters http://en.wikipedia.org/
services. for price calculations. Do not use Base- wiki/Shoplifting
64 for encoding price information.
Blind SQL High It is possible to execute SQL User input must not directly be embedded http://en.wikipedia.org/
Injection commands on the SQL Server thru in SQL statements. Instead, wiki/SQL_injection
the application. parameterized statements must be used.
User input must be carefully escaped or
filtered.
Cross Side High It is possible to steal or manipulate There are several issues whose http://en.wikipedia.org/
Scripting (XSS) customer session and cookies, which remediation lies in sanitizing user input. wiki/Cross-
may be used to impersonate a site_scripting
legitimate user.
LDAP Injection High This could result in the execution of There are several issues whose http://www.blackhat.co
arbitrary commands such as granting remediation lies in sanitizing user input. m/presentations/LDAP.
permissions to unauthorized users, pdf
and content modifications.
CAPTCHA Medium Could allow a remote attacker to Upgrade to newer version (if exists). http://www.cs.sfu.ca/~m
Bypass bypass the CAPTCHA Captcha image should be distorted, and ori/research/gimpy/
implementation, thus undermining cluttered and with textured background.
http://www.owasp.org/i
the security benefit of the The distortion and clutter is sufficient to
ndex.php/Testing_for_C
CAPTCHA technology. confuse OCR (optical character aptcha_(OWASP-AT-
recognition) software. 008)
Cross Site Medium Http Track & Trace enabled on the Disable the HTTP TRACE method in http://www.kb.cert.org/
Tracing web server. It is possible to steal or your web server. vuls/id/867593
manipulate customer session and
cookies, which may be used to
impersonate a legitimate user.
Application Low It is possible to gather sensitive Use generic error displaying. Use try and http://www.owasp.org/i
Errors debugging information. The attacker catch blocks. ndex.php/Missing_Error
can gain useful information from the _Handling
application's responses.
Hidden Informational It is possible to retrieve information If the forbidden resource is not required,
Directory about the site's file system structure, remove it from the site.
which may help the attacker to map
the web site.
C P
CSRF Parameter Delimiter
Cache Poisoning Path Traversal
Command Injection
Cross Site Tracing
Cross-Site Request Forgery (CSRF)
R
Cross-site Scripting (XSS)
Resource Injection
Cryptanalysis
D S
SQL Injection
Denial of Service
Server-Side Includes (SSI) Injection
Direct Dynamic Code Evaluation
Session Prediction
('Eval Injection')
Session fixation
Double Encoding
Session hijacking attack
F
U
Forced browsing
Unicode Encoding
Format string attack
Full Path Disclosure
W
H
Web Parameter Tampering
HTTP Request Smuggling
HTTP Response Splitting X
XPATH Injection
Path Traversal
Bypassing authorization schema
Privilege Escalation
AJAX Vulnerabilities
AJAX Testing
Detailed Report
SQL Injection Vulnerability
Severity: Critical
Get Requests:
http://www.Test-Website.com/Products.aspx?item=1'%20having%201=1--
http://www.Test-Website.com/Products.aspx?cat=1%a5'%20having%201=1--
http://www.Test-Website.com/List-Products.aspx?prod=%00'
http://www.Test-Website.com/List-Products.aspx?cat=1'
http://www.Test-Website.com/Members.aspx?userid= \'
Server Response:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the
select list if the statement contains a UNION operator.
/Products.aspx, line 5
eShoplifting Vulnerability
Severity: High
Severity: High
Post Requests:
POST /Members/account.aspx HTTP/1.0
listAccounts=1001160141+and+1=1
listAccounts=1001160141+and+1=2
Server Response:
The resulting test responses show that requests containing conditions with the same logical
values were identical to the original valid response, and the responses with different values
were not. This indicates that an SQL query is being executed at the back-end database, and that
the injected values affect the original query.
Severity: High
http:// www.Test-Website.com/Resource/controller.swf?onend=javascript:alert(XSS)//
name=anonymous+user&text=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x6
1;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(50
108)>&submit=add+message
Severity: High
Post Requests:
POST /Members.aspx
uid=admin)(&))&password=pwd
Server Response:
Authentication bypasses using LDAP injection on the “uid” parameter.
Severity: Medium
http://www.owasp.org/index.php/Testing_for_Captcha
_(OWASP-AT-008)
Post Requests:
POST /Members.aspx
uid=CYBERDIN&password=InfoSeCheck.com&captchaImage=agos 12F
Severity: Medium
Security Risk: Http Track & Trace enabled on the web server. It is
possible to steal or manipulate customer session and
cookies, which may be used to impersonate a
legitimate user.
Test Requests:
TRACE /CYBERDIN-HTTP_Track_Vuln HTTP/1.0
Server Response:
HTTP/1.1 200 OK
Connection: close
Content-Type: message/http
Application Errors
Severity: Low
Recommendation: Use generic error displaying. Use try and catch blocks.
Post Requests:
POST /Members.aspx
uid='0x%0a&password=CYBERDIN_Technologies
Server Response:
Severity: Informational
Get Requests:
GET /admin/ HTTP/1.0
Server Response:
HTTP/1.1 403 Forbidden
Severity: Informational
Get Requests:
Get /Members.aspx
Server Response:
HTTP/1.1 200 OK
Appendix 1
Special (dangerous) Characters List:
It is advised to filter out all the following characters:
[1] |
[3] ; [16] ,
[4] $ [17] \
[5] % [18] ~
[6] @ [19] #
[9] \ [22] _
[12] + [25] =