KiwiQA Services Engage
Experience
Excel
Web Application VAPT Report
for
10th March, 2017
1 KiwiQA Services - Confidential
SCOPE OF TEST
Name of the Organization Nava Finance
Name of the Application Navaloans web application
Scope of Service Penetration Testing
Duration of Test 7 work days
PROJECT TEAM POINT OF CONTACT
Name Security Team - KiwiQA
Email ID security@kiwiqa.com
Document Approved by Niranjan Limbachiya
Email ID Niranjan.limbachiya@kiwiqa.com
CLIENT POINT OF CONTACT
Document Recipient Name Mukesh Patel
Email ID
DOCUMENT HISTORY
Date Version Author Comments
10th March 2017 1.0 Joseph -
2 KiwiQA Services - Confidential
Table of Contents
INTRODUCTION ................................................................................................................................................. 5
FOCUS & OBJECTIVE .......................................................................................................................................... 5
TERMINOLOGY AND SCORE............................................................................................................................... 5
Information Gathering................................................................................................................................... 6
Website Information ..................................................................................................................................... 6
WEB APPLICATION VULNERABILITIES................................................................................................................ 7
Classification by impact severity ................................................................................................................... 7
VULNERABILITY DETAIL AND MITIGATION ........................................................................................................ 8
Vulnerability #1: E-mail Bombing and Spamming ......................................................................................... 8
Vulnerability #2: Clickjacking ......................................................................................................................... 8
Vulnerability #3: Session Cookie without Secure Flag ................................................................................ 10
Vulnerability #4: Server/OS Information Leakage ....................................................................................... 11
Vulnerability #5: Missing Security Headers ................................................................................................. 11
Vulnerability #6: Password Field with Auto-Complete Enabled.................................................................. 12
EXPLOIT VECTORS TESTED ............................................................................................................................... 14
Test #A1: Injection Attacks .......................................................................................................................... 14
Test #A2: Broken Authentication and Session Management...................................................................... 14
Test #A3: Cross Site Scripting (XSS) ............................................................................................................. 16
Test #A4: Insecure Direct Object Reference ............................................................................................... 16
Test #A5: Security Misconfiguration ........................................................................................................... 17
Test #A6: Sensitive Data Exposure .............................................................................................................. 17
Test #A7: Missing Functional Level Access Control ..................................................................................... 17
Test #A8: Cross Site Request Forgery .......................................................................................................... 17
Test #A9: Using Components with known Vulnerabilities .......................................................................... 18
3 KiwiQA Services - Confidential
Test #A10: Unvalidated Redirects and Forwards ........................................................................................ 18
Test #11: Information Gathering ................................................................................................................. 18
Test #12: Configuration and Deployment Management Testing ................................................................ 18
Test #13: Identity Management Testing ..................................................................................................... 20
Test #14: Cryptography ............................................................................................................................... 22
Test #15: Business Logic .............................................................................................................................. 23
Test #16: Client Side Testing ....................................................................................................................... 23
CONCLUSION ................................................................................................................................................... 25
4 KiwiQA Services - Confidential
INTRODUCTION
Security assessment is a process that enables an understanding of threats for better defence.
Penetration testing simulates methods that intruders adopt to gain unauthorized access to an
organization’s network systems, proceeding to compromise them. Most attackers follow conventional
approaches to attempt a penetration.
Our security testing components focus on high-severity vulnerabilities and strive to unearth
application-level security issues to help provide valuable insights to development teams.
FOCUS & OBJECTIVE
To find potential vulnerabilities latent in web application interfaces and implement a simulated exploit
to assess the possibilities of compromise, cover all attack vectors and trace the attack surface.
The core intent of running a VAPT test on the target web applications is to evaluate the ease of gaining
unauthorized access to the system by using different types of real-world exploits and common attack
patterns to access the network or data. The exercise offers visibility into the possible impact of the flaw
on the underlying network, operating system, database etc. using many methods a malicious hacker
would attempt.
TERMINOLOGY AND SCORE
CVE is a dictionary of publicly known information security vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index
point for evaluating coverage of tools and services. Information security "vulnerability" is a mistake in
software application, configuration or operating system that can be directly used by a hacker to gain access
to a system or network.
Vulnerability-A weakness which allows a hacker to break into / compromise a systems
security Exploit - code which allows an attacker to take advantage of a vulnerable system
Payload - actual code which runs on the system after exploitation
5 KiwiQA Services - Confidential
CVSS score Severity in Description
range advisory
Issues that allow an attacker to run executable code of their choice on the
machine, with ease, and without assistance from the user.
8.0 – 10.0 Critical
Impact: All services completely lost and no workaround is immediately
available. Mission critical data associated with the appliance is disclosed
or corrupted.
Issues that allow an attacker to run executable code of their choice on the
machine, with great difficulty, or requiring significant user interaction.
6.0 – 7.9 High Impact: Major functionality of the appliance is severely impaired.
Operations can continue in a restricted fashion, although long-term
productivity might be adversely affected. Extensive loss or corruption of
critical data.
Issues that require an attacker to reside on the same local network as the
3.0 – 5.9 Medium victim.
Impact: Affect only non-standard configurations or obscure applications
Vulnerabilities in the low range typically have very little impact on an
organization’s business. Exploitation of such vulnerabilities usually
0.0 – 2.9 Low requires local or physical system access.
Impact: Privacy leaks on non-confidential data, such as dates visited,
cached files, visited history, etc.
Information Gathering
Site https://integration.navaloans.com
Domain navaloans.com
IP Address 52.49.68.117
Netblock Owner Amazon Data Services Ireland Limited
Domain registrar amazon.com
DNS Admin awsdns-hostmaster@amazon.com
Organization Whois Privacy Service, P.O. Box 81226, Seattle, 98108-1226, United
States
Hosting Country ie
Website Information
OS guessed Unix
Server Apache/2.4.25
Application Framework JSP
6 KiwiQA Services - Confidential
WEB APPLICATION VULNERABILITIES
Classification by impact severity
Low: 33.33% Medium
Medium: 66.67% Low
Severity Vulnerability identified Assessed Impacts
Medium Email Bombing and Spamming Spamming of User inbox, system
crashes, failure of service
Medium Clickjacking User action manipulation, theft
of sensitive user inputs.
Medium Missing Cookie Attributes Disclosure of sensitive
information
Medium Information Disclosure Unintentional data leakage
Low Missing Security Headers Information theft
Low Password Field with Autocomplete feature Enabled Unauthorized user information
disclosure
7 KiwiQA Services - Confidential
VULNERABILITY DETAIL AND MITIGATION
Vulnerability #1: E-mail Bombing and Spamming
Vulnerability Details Email Bombing and Spamming of valid user accounts
Description The vulnerability allows spamming of an email message to a particular user email
address registered on a specific victim site. Such messages are commonly large and
constructed from unintelligible data in an effort to consume additional system and
network resources required for processing them. Also, hundreds or thousands of
accounts on the target site may be simultaneously victimized in an Email Spamming
attack, increasing the denial of service severity on the target site’s servers. Email
spamming can be made worse if recipients reply to the email, causing all the
original addressees to receive the reply.
Severity Medium
Impact An attacker can use the mail server to bomb and spam your user’s inbox by brute-
forcing the ‘forgot password’ functionality.
Business Impact Loss of reputation.
Recommendation Invalidate Anti-CSRF token after a single use and use new one for the next – even
for unauthenticated users.
(or)
Restrict maximum number of emails sent to a specific user per hour. After sending
more than 5 ‘forgot password’ emails, there should be throttling of the particular
user’s email ID / IP address.
Proof of Concept:
Vulnerability #2: Clickjacking
Vulnerability Details X-Frame-Options header missing.
CVE / CWE Reference CWE-693
8 KiwiQA Services - Confidential
Description Clickjacking (aka User Interface redress attack, UI redress attack, UI redressing) can
be used to trick a Web user into clicking on something different from what the user
perceives they are clicking on, thereby stealing sensitive information which could
also lead to taking-over of their computer while clicking on seemingly harmless web
pages. A web application can be misused in a Clickjacking attack if it allows an
attacker to load its webpages on an iframe overlay to masquerade a malicious
webpage aligned in such a manner that, for instance, the login button on a safe
webpage lines up over a “click here to win $1 million” button on the concealed,
infected website. In this case, the server did not return an X-Frame-Options header
which means that this website could be used to launch a Clickjacking attack.
Effects Manipulation of user actions; data and identity theft. Affected areas: All pages
where clicks can manipulate data e.g. delete users in admin role in user
management portal.
Severity Medium
Impact Manipulation of user controls/input and leakage of sensitive user information.
Recommendation Configure your web server to include an X-Frame-Options header. Consult Web
references for more information about the possible values for this header.
Proof of Concept:
9 KiwiQA Services - Confidential
Vulnerability #3: Session Cookie without Secure Flag
Vulnerability Details Secure flag not set
CVE / CWE Reference CVE-2008-4122
Description When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security
protection for session cookies.
The cookie appears to contain a session token, which may increase the risk
associated with this issue.
The cookie in the screenshot does not have a secure flag set.As a result, the session
cookie will be sent in unencrypted http channels.
Effects User data confidentiality. Unauthorized parties can steal or modify an authenticated
user’s cookies and read sensitive information stored for use in identity theft and
impersonation attacks.
Severity Medium
Impact The cookie (typically your session cookie) becomes vulnerable to theft or
manipulation by malicious script.
Recommendation Review the contents of cookies to determine their functions. Set Secure flag for
session cookies carrying sensitive information.
Proof of Concept:
10 KiwiQA Services - Confidential
Vulnerability #4: Server/OS Information Leakage
Vulnerability Details Unintended information leakage through server response headers
Information such as technology used, its version, OS details and version are
Description
returned in server response headers.
Effects Targeted attacks are possible because of the leakage of such information.
Severity Medium
Technical Impact Exposure of sensitive information aiding reconnaissance.
Business Impact Security Best Practice Violation.
X-Powered-By header can have a “deception value” rather than the actual
Recommendation
technologies that are being used.
Proof of Concept:
Vulnerability #5: Missing Security Headers
Vulnerability Details Security headers are missing in the response from server
Description There are few security headers which are recommended as a best practice.
These headers can help prevent certain attacks like cookie stealing, XSS,
clickjacking etc.
Severity Low
Effects Missing Best Practice
Technical Impact Cookie stealing, XSS, Clickjacking attacks
11 KiwiQA Services - Confidential
Business Impact Losing user confidentiality on data integration
Recommendation It is a best practice case to implement security headers like X-Frame-Options:
SAMEORIGIN, X-XSS-Protection: 1; mode=block, X-Content-Type-Options:
nosniff, Content-Type: text/html; charset=utf-8, Strict-Transport-Security etc
Vulnerability #6: Password Field with Auto-Complete Enabled
Vulnerability Details Auto-complete is enabled in username, password fields by default
CVE / CWE Reference CWE-200
Description The Login form contains passwords for which the browser auto-complete
feature is enabled. Auto-complete stores completed form field entries
(usernames, passwords, contact information) locally in the browser, so
that these fields are filled automatically when the user visits the site again.
When a new name and password is entered in a form and the form is
submitted, the browser asks if the password should be saved. Thereafter
when the form is displayed, the name and password are filled in
automatically or are listed as suggestions as the user types.
Severity Low
Impact Sensitive data and passwords can be stolen if the user's system is
compromised.
Recommendation The password auto-complete should be disabled in forms collecting
sensitive user input.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
However, the form auto-complete is a non-standard, browser-side feature
that each browser handles differently. Opera, for example, disregards the
feature, requiring the user to enter credentials for each Web site visit.
12 KiwiQA Services - Confidential
Proof of Concept
13 KiwiQA
Services - Confidential
EXPLOIT VECTORS TESTED
Following are the details pertaining to the common attack scenarios which were simulated for the
application. This section also includes a definitive list of exploit vectors that were tested and the
corresponding security posture of the application.
Test #A1: Injection Attacks
Test Details Injection attacks
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attacker’s hostile data
Description can trick the interpreter into executing unintended commands or accessing data
without proper authorization.
Result Pass
Test #A2: Broken Authentication and Session Management
Vulnerability Details Authentication and Authorization issues
Description Application functions related to authentication and session management are often
not implemented correctly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities.
Scenarios Tested Testing for Credentials Transported Pass (Proof of Concept A2.1)
over an Encrypted Channel
Testing for default credentials Pass
Testing for Weak lock out Pass
mechanism
Testing for bypassing Pass
authentication schema
Test remember password Pass
functionality
Testing for Browser cache Pass
weakness
After logout browser caches is cleared
Testing for Weak password policy Pass (Proof of Concept A2.2)
14 KiwiQA Services - Confidential
Testing for Weak security Pass
question/answer
Not Applicable
Testing for weak password change Pass (Proof of Concept A2.3)
or reset functionalities
Testing for Weaker authentication Pass
in alternative channel
Directory Traversal Pass
bypassing authorization schema Pass
Privilege Escalation Pass
Insecure Direct Object References Pass
Testing for Bypassing Session Pass
Management Schema
Testing for Cookies attributes Fail (Vulnerability #3)
Testing for Session Fixation Pass
Session-id before and after login are different
Testing for Exposed Session Testing for logout functionality
Variables
Proof of Concept A2.1:
Credentials transported in SSL
15 KiwiQA Services - Confidential
Proof of Concept A2.2:
Password needs to be 8 characters with atleast one non-alphabet
Proof of Concept A2.3:
The token is tested for randomness, reusability and had passed against each
Test #A3: Cross Site Scripting (XSS)
Vulnerability Details Cross Site Scripting – Reflected, Stored, Dom
Description XSS flaws occur whenever an application takes untrusted data and sends it to a web
browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.
Result Pass
Test #A4: Insecure Direct Object Reference
Vulnerability Details Insecure Direct Object References
CVE / CWE Reference CWE-813
16 KiwiQA Services - Confidential
Description Insecure Direct Object References occur when an application provides direct
access to objects based on user-supplied input. As a result of this vulnerability
attackers can bypass authorization and access resources in the system directly, for
example database records or files.
Result Pass
Test #A5: Security Misconfiguration
Vulnerability Details Default configurations set in frameworks
Description Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and
platform. Secure settings should be defined, implemented, and maintained, as
defaults are often insecure. Additionally, software should be kept up to date.
Result Pass
Test #A6: Sensitive Data Exposure
Vulnerability Details Sensitive Data Exposure
Description Many web applications do not properly protect sensitive data, such as credit cards,
tax IDs, and authentication credentials. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit, as
well as special precautions when exchanged with the browser.
Result Pass
Test #A7: Missing Functional Level Access Control
Vulnerability Details Missing Functional Level Access Control
Description Most web applications verify function level access rights before making that
functionality visible in the UI. However, applications need to perform the same
access control checks on the server when each function is accessed. If requests are
not verified, attackers will be able to forge requests in order to access functionality
without proper authorization.
Result Pass
Test #A8: Cross Site Request Forgery
Test Details Cross Site Request Forgery
CVE / CWE Reference CWE-80
Cross-site request forgery, also known as a one-click attack or session riding and
Description
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby
17 KiwiQA Services - Confidential
unauthorized commands are transmitted from a user that the website trusts.
There is not CSRF protection in the application.
A successful cross-site request forgery attack is limited to the capabilities exposed
Effects by the vulnerable application, ranging from Identity theft to misuse of
administrative privileges to disruption of operations.
Result Pass
Test #A9: Using Components with known Vulnerabilities
Vulnerability Details Using Components with known Vulnerabilities
Description Components, such as libraries, frameworks, and other software modules, almost
always run with full privileges. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities may undermine application defenses and
enable a range of possible attacks and impacts.
Result Pass
Test #A10: Unvalidated Redirects and Forwards
Vulnerability Details Open Redirection
Description Web applications frequently redirect and forward users to other pages and
websites, and use untrusted data to determine the destination pages. Without
proper validation, attackers can redirect victims to phishing or malware sites, or
use forwards to access unauthorized pages.
Result Pass
Test #11: Information Gathering
Vulnerability Details Information Gathering
Description Understanding the deployed configuration of the server hosting the web
application
Scenarios Tested Fingerprint Web Server Fail (Vulnerability #4)
Review Webpage Comments and Pass
Metadata for Information Leakage
Test #12: Configuration and Deployment Management Testing
Vulnerability Details Information Gathering
18 KiwiQA Services - Confidential
Description The different elements that make up the infrastructure need to be determined in
order to understand how they interact with a web application and how they affect
its security.
Scenarios Tested Test Network/Infrastructure Pass
Configuration
Test Application Platform Pass
Configuration
Test File Extensions Handling for Pass
Sensitive Information
Review Old, Backup and Pass
Unreferenced Files for Sensitive
Did not find any old or backup files
Information
Enumerate Infrastructure and Pass
Application Admin Interfaces
Did not find any admin console
Test HTTP Methods Pass (Proof of Concept 12.1)
Test HTTP Strict Transport Security Fail (Vulnerability #5)
Test RIA cross domain policy Pass (proof of Concept 12.2)
Test CDN Configuration for external Pass (Proof of Concept 12.3)
file listing
Proof of Concept 12.1:
Server did not respond for OPTIONS method request or any other methods as such
Proof of Concept 12.2:
19 KiwiQA Services - Confidential
Proof of Concept 12.3
Test #13: Identity Management Testing
Vulnerability Details Identity Management Testing
Description Validate the system roles defined within the application sufficiently define and
separate each system and business role to manage appropriate access to system
functionality and information.
Scenarios Tested Test Role Definitions Only Single role in the application
Test User Registration Process Pass
Test Account Provisioning Process Pass
20 KiwiQA Services - Confidential
Testing for Account Enumeration Pass (Proof of Concept 13.1)
and Guessable User Account
Testing for Weak or unenforced Pass
username policy
Test Permissions of Guest/Training Pass
Accounts
Test Account Pass
Suspension/Resumption Process
Proof of Concept 13.1:
Generic message is displayed even if a user-id which is not present in the system is entered.
21 KiwiQA Services - Confidential
Test #14: Cryptography
Vulnerability Details Cryptography
Description Sensitive data must be protected when it is transmitted through the network.
Such data can include user credentials and credit cards. As a rule of thumb, if data
must be protected when it is stored, it must be protected also during transmission
Result Pass (Proof of Concept 14.1)
Proof of Concept 14.1:
Latest version of TLS is deployed
22 KiwiQA Services - Confidential
Test #15: Business Logic
Vulnerability Details Business Logic
Description Testing for business logic flaws in a multi-functional dynamic web application
requires thinking in unconventional methods.
Result Pass
File upload in /careers page was tested for abuse.
Test #16: Client Side Testing
Vulnerability Details Client Side Testing
Description Client-Side testing is concerned with the execution of code on the client, typically
natively within a web browser or browser plugin. The execution of code on the
client-side is distinct from executing on the server and returning the subsequent
content
Scenarios Tested Testing for HTML Injection Pass
Rate Limiting Mechanism Fail (Vulnerability #1)
Clickjacking Fail (Vulnerability #2)
Testing for Cross Site Flashing Pass
23 KiwiQA Services - Confidential
Auto-Complete Enabled Fail (Vulnerability #6)
24 KiwiQA Services - Confidential
CONCLUSION
The penetration testing performed on the target website discovered several vulnerabilities which could
expose sensitive data stored in the web servers. Application security testing revealed that data integrity is
at risk which could lead to modification of data. These vulnerabilities could have had a dramatic effect on
operations if a malicious party had exploited them.
We assessed the attack environment of https://integration.navaloans.com with a view to detect vulnerable
points and weak links in functionality and connectivity. Our security analysts have unearthed a substantial
number of medium (66.67%) and low level vulnerabilities (33.33%) lurking predominantly in how the
application handles and processes user inputs and presents sensitive information to the user. These
loopholes could grease the wheels for a host of cyber attacks on unsuspecting users as well as service
disruption.
In furtherance of the effectiveness of our vulnerability scanning, we have provided practical guidance for
risk mitigation with remediation techniques, best practices and tactical approaches to optimal security
maintenance. These recommendations have been developed with core competency and operational
efficiency as prime focus and will be instrumental in achieving sustained threat protection.
The specific goals of the penetration test were as follows:
- Determine whether a remote attacker could penetrate the web application.
- Ascertain the impact of a security breach on data confidentiality and systems availability.
The aforementioned targets have been successfully met, the results of which are elucidated in the report.
It is important to note that seemingly minor design and functionality issues could be leveraged in attempts
to compromise the application and the web server. We suggest deployment of the recommended
mitigation techniques and controls as well as security protocols to secure the website and databases.
25 KiwiQA Services - Confidential