Vulnerability Assessment and Penetration Testing for Web Application BookUrShow

Methodology Summary

In order to perform a comprehensive Web Application Security Assessment, we would perform a Vulnerability Assessment and Penetration Test according to the OWASP, SANS, NIST and OSSTMM standards. Several procedures are to be performed to ensure that the vulnerabilities found in the Web Application are identified and exploited. The following procedures would be carried out to achieve this purpose

Reconnaissance and Mapping

Reconnaissance is the first step in a Vulnerability Assessment and/or Penetration Test. It is also the most important process of the test. In this phase, our testing team shall perform active and passive reconnaissance of the target system. In this phase, we manually navigate through the running application to understand the basic functionality and workflow of the application. It is performed on an actual device or within a simulator/emulator for a deeper understanding of application the proxy and sniffing of all network traffic from either a physical Web device or an emulator/simulator recording and logging traffic for further analyzing it to find vulnerabilities.

!

!

1 Executive Closure Summary ........................................................................................................................... 31.1 Security Assessment ................................................................................................................................ 31.2 Security Assessment ................................................................................................................................ 4

2 Detailed Technical Summary ........................................................................................................................... 52.1.1 CLEAR TEXT SUBMISSION OF PASSSWORD ....................................................................... 52.1.2 Cross site scripting (xss) ............................................................................................................ 62.1.3 BLIND SQL INJECTION ............................................................................................................. 82.1.4 ADMIN FUNCTIONALITY EXPOSED ...................................................................................... 102.1.5 DIRECTORY LISTING ............................................................................................................. 132.1.6 AUTHENTICATION BYPASS (BRUTE FORCE) ..................................................................... 142.1.7 WEAK PASSWORD POLICY ................................................................................................... 152.1.8 FORGOT PASSWORD MECHANISAM IS NOT IMPLEMENTED .......................................... 16

"

#$% &'!%(%))(*

+,& !%))(&-! +&.&!.'((&!/!&. &&..%(& +!$%(& * ! &0(. &!1

(( !$ &23 &.$+&$0&.&!4

$%(& *!!!!)

5(&!/!,(&. &&..%(& + !

636 7

8 "

(9+&$9(! &%(&& &!

$%(& *!!!!)

+,(9+!+,! + %)('%(&& &!.&!$'(.(:&+;.:6.&%);!'(& *'

.%(&$%(( !$%(& *!!!!) !

=

3 &.$+&$%))(*

! ! "#$

% Any web page containing sensitive information should transit the information in a secured way. Book Ur Show login page shows the transit in the form of plane text.

&' &+

(% The attackers can use any sniffing tool such as Wireshark, Cain&Abel to steal the credentials, since the passwords will be sent in Plain text.

#

%)) : Move all of the critical forms and pages to HTTPS and do not serve them over HTTP.

! )%(*+,-

% Cross site scripting, better known as XSS, is in fact a subset of HTML injection. XSS is the most prevalent and pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victims browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing attacks, and take over the users browser using scripting malware. The malicious script is usually JavaScript, but any scripting language supported by the victims browser is a potential target for this attack. The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as injection attacks, interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows.

&' .*/

Exploited XSS is commonly used to achieve the following malicious results: Identity theft Redirection to the malicious websites Accessing sensitive or restricted information Spying on users web browsing habits

#

>

%))

Input Validation: It is recommended to use a standard server as well as client side input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be stored.

Output Encoding: It is recommended that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendered on HTML Page. For PHP, htmlentities() or htmlspecialcharacters() functions can be used to avoid cross site scripting.

5

! 0 12

% SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query

&' &+

(% Blind SQL Injection is based on true & false input. If input is true server will give response according to that and if false according to that. Malicious user can have un-authorized access via inserting true conditions through SQL commands.

#

?

%))3Proper input validation is required. Use html entities in order to ban special

Characters given by an attacker

! 4 5"#

% Site crawlers can be used or one can spider the host/target to know sensitive information like configuration settings, hidden urls, confidential documents etc. In the process of extracting sensitive information malicious user can obtain information about admin related files as well.

&' &+

(% At the time of crawling attacker can gain a list of various php files lying on the server. One of them is deletecity.php. To delete any citys name from the database is the function of this file. This is admin level functionality

#

%))3 Move all of the critical forms and pages to HTTPS and do not serve them over HTTP.

"

! 6 57

% An attacker can get to know the list of directories and the files in it by checking the improper permissions on the url by parsing through the url files

&' 6.&%)

(% A directory Listing consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.

#

%))3 Implement proper access controls over the urls so that an attacker cannot parse through the urls to get the sensitive information

8

! 8 .5#+-

% An attacker can bypass the privileges by performing a brute force , dictionary, syllable and hybrid methods to gain unauthorized access to the web page.

&' 6.&%)

(% An issue exists in BookUrShow Application that could allow an unauthorized user to brute force the password of user accounts when Web Publishing is enabled.

#

%))3

1. Ensure that users follow proper password policies such as using hard to guess passwords. 2. HTTP basic authentication is generally not considered a secure mechanism and should be run over

a SSL-enabled port

=

! 9 $:#$#5

% One should use strong password policies to harden the strength and should increase the password characters minimum to 16 so as to protect it from any brute force mechanism. Passwords can be cracked easily if given time and resources with a high capacity. If the password strength is less than it can easily lead to expose the sensitive details of the users up on cracking them.

&' 6.&%)

(% It was found in change password options that the application accepting single character password so attacker can easily break the password.

#

%))3

1. Password length should be minimum 8 characters.

2. Password characters should be a combination of alphanumeric characters.

! ; FORGOT PASSWORD MECHANISAM IS NOT IMPLEMENTED% Developers frequently build custom authentication schemes, but implementing them

is hard. As aresult, these custem schemes frequently have flaws. &' 7,

(% Implement forgot password mechanism. %))3

Implement forgot password mechanism.