KEMBAR78
Web App Vulnerability Insights | PDF | Vulnerability (Computing) | World Wide Web
0% found this document useful (0 votes)
100 views30 pages

Web App Vulnerability Insights

Uploaded by

tonny gich
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
100 views30 pages

Web App Vulnerability Insights

Uploaded by

tonny gich
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Page 1 of 30 - Cover Page Submission ID trn:oid:::3618:74513306

Vulnerability Testing.docx
United International University

Document Details

Submission ID

trn:oid:::3618:74513306 26 Pages

Submission Date 2,484 Words

Dec 20, 2024, 3:59 PM GMT+5:30


14,019 Characters

Download Date

Dec 20, 2024, 4:01 PM GMT+5:30

File Name

Vulnerability Testing.docx

File Size

2.7 MB

Page 1 of 30 - Cover Page Submission ID trn:oid:::3618:74513306


Page 2 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306

21% Overall Similarity


The combined total of all matches, including overlapping sources, for each database.

Filtered from the Report


Bibliography

Quoted Text

Match Groups Top Sources

34 Not Cited or Quoted 17% 16% Internet sources


Matches with neither in-text citation nor quotation marks
1% Publications
7 Missing Quotations 4% 17% Submitted works (Student Papers)
Matches that are still very similar to source material

0 Missing Citation 0%
Matches that have quotation marks, but no in-text citation

0 Cited and Quoted 0%


Matches with in-text citation present, but no quotation marks

Integrity Flags
1 Integrity Flag for Review
Our system's algorithms look deeply at a document for any inconsistencies that
Hidden Text would set it apart from a normal submission. If we notice something strange, we flag
it for you to review.
102 suspect characters on 10 pages
Text is altered to blend into the white background of the document. A Flag is not necessarily an indicator of a problem. However, we'd recommend you
focus your attention there for further review.

Page 2 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306


Page 3 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306

Match Groups Top Sources

34 Not Cited or Quoted 17% 16% Internet sources


Matches with neither in-text citation nor quotation marks
1% Publications
7 Missing Quotations 4% 17% Submitted works (Student Papers)
Matches that are still very similar to source material

0 Missing Citation 0%
Matches that have quotation marks, but no in-text citation

0 Cited and Quoted 0%


Matches with in-text citation present, but no quotation marks

Top Sources
The sources with the highest number of matches within the submission. Overlapping sources will not be displayed.

1 Internet

www.researchgate.net 11%

2 Submitted works

Sheffield Hallam University on 2016-02-12 5%

3 Internet

sciencepubco.com 1%

4 Submitted works

Asia Pacific University College of Technology and Innovation (UCTI) on 2023-03-24 0%

5 Submitted works

Deakin University on 2020-10-08 0%

6 Submitted works

Napier University on 2023-05-05 0%

7 Submitted works

De Montfort University on 2013-05-03 0%

8 Submitted works

De Montfort University on 2013-10-25 0%

9 Submitted works

Flinders University on 2021-09-16 0%

10 Submitted works

University of Westminster on 2024-05-25 0%

Page 3 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306


Page 4 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306

11 Internet

www.inderscienceonline.com 0%

Page 4 of 30 - Integrity Overview Submission ID trn:oid:::3618:74513306


Page 5 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Vulnerability Testing
INTRODUCTION

Web app testing is essential to preventing internet dangers and cyberattacks. Both
known and unexpected weaknesses in online applications can be found using open-source
tools for vulnerability assessment. This aids in recognizing related risks. Developers can alter
and contribute to future development by using the source code that open-source tools give
(Al-Ahmad et al, 2019). Tools for VAPT Act like a hacker and target the system from within as
well as without the network. The system needs to be fixed if illegal access is possible.
Penetration testing and vulnerability assessment are essential tasks for online application
6 protection. The process of identifying, evaluating, and ranking a system's vulnerabilities is
known as vulnerability assessment. The goal of this project is to find different tools that may
be utilized in the process of discovering possible weaknesses in a system by doing penetration
testing and vulnerability assessment on Metasploitable DVWA.
We employ automated methods to find vulnerabilities in particular web applications
4 throughout the vulnerability scanning process (Abu-Dabaseh & Alshammari, 2018). Spider,
Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender are some of the
features of the Burp Suite intercepting proxy tool. Nikto is an open-source, free vulnerability
3 scanner. Nikto looks for any security flaws on the web server. Advanced Scan, Bad Lock
Detection, Bash Shell Shock Recognition, Basic Network Scan, Licensed Path Audit, DROWN
Recognition, Host Recognition, Intel AMT Protection Bypass, spyware Scan, Shadow Brock
Scan, Wanna Cry Ransomware, and Web Application Tests are just a few of the features that
Nessus, an advanced automated scanner, offers (Abu-Dabaseh & Alshammari, 2018). A
complete tool for checking the security of web applications is OWASP-ZAP.

VULNERABILITY ANALYSIS

VULNERABILITY 1

Remote File Inclusion

Medium Medium

Impact Probability

FINDING

5 The partner's page (http://10.0.2.15/dvwa/vulnerabilities/fi/?page=include.php) was found


to be susceptible to file inclusion attacks, which give the attacker the ability to remotely run
1 file system commands from the vulnerable web application URL. This vulnerability was
exploited using Linux terminal commands and the URL of the web app. Unauthorized public
access was granted to the hosting server's secured by password directories and group files

Page 5 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 6 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

(Pilorz, 2008). This is seen below.

Page 6 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 7 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 7 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 8 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

Disabling PHP's allow_url_fopen function allows the URL to connect to the file directory on
10 the remote host. Using Web applications firewall, intrusion prevention systems, and
intrusion detection systems (IDS) to prevent unexpectedly damaging commands from the
URL from being executed can help protect the system from this attack. Systems inputs can
be verified and corrected using the PHP code below before being executed.
1 <?PHP
if (set($_POST['submit'])) {
require_once '../functions.php';

VULNERABILITY 2

SQL Injection Attack

High Medium

Impact Probability

FINDING

The administrator's username was discovered using Burp Suite, as shown in the
second image below. on order to successfully sign on to the account with the username
"Bob," the web application uses the strings 5, 6, and 3 on the SQL page
9 (http://10.0.2.15/dvwa/vulnerabilities/sqli/) for user information, as seen below. To log in
as administrator, use the hacked username. The admin user has full administrative rights
and is able to modify user passwords.

Page 8 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 9 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 9 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 10 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

1 To filter and stop permitted access from a dangerous request made against the system, mod
2 security is set up using a set of rules. Web application security firewalls, like Mod security,
are the best defenses against SQL injection. SHA-1 or MD5, two hash functions that use
cryptography, are used to save the password field in a database. Using validations to restrict
the characters that can be entered in the email address and telephone number fields to only
number and letter combinations, among other things, is part of whole data cleaning.

VULNERABILITY 3
1 Stored XSS attack

Risk High

Impact High

FINDING

The user profiles and blog pages (https://dvwa.com/profile.php and


https://dvwa.com/index.php) are vulnerable to attacks employing stored cross-site
2 scripting. When logged in as a regular user on the profile page, it used BurpSuite and the
1 code to edit and preserve any changes made to the user profile. As seen in the user profile
figure below, the injected code was embedded in the profile page and is still present across
the system. As seen in the image below, this results in the appearance of a harmful trap
message.

Page 10 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 11 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 11 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 12 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

1 Software developers are required to create systems that sanitize any user input that
will be saved to the system. The most crucial factors are the inputs that will be placed into
the database or the expected OS instructions that have the ability to run malicious code
1 (OWASP, 2015). Form field validation, such as PHP server-side validation, can be used to
impose limitations.

VULNERABILITY 4

Brute Force Attack

High Medium

Impact Unauthorized entry

FINDING

Strong input validation was not used when implementing the login and password sections
on the sign-up page (http://10.0.2.15/dvwa/login.php).

Page 12 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 13 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

The system enables the user to easily brute force the website. Burp Suite's intruder
functionality was used to gather information and launch a brute force attack on the login
page and password page. A variety of passwords were used to generate a random password
along with hints to some well-known usernames, such as admin (OWASP, 2015).

Page 13 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 14 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 14 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 15 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Regarding request ID 693 A successful answer and an administrative account are indicated
by the render option response with payloads 1 and 2 being Admin and admin.

Page 15 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 16 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

1 RECOMMENDATION

It is highly recommended that form fields, particularly the password field, have
validation set in order to firmly prevent a brute force assault. The input size, capital and case
word combinations, unique characters, and data ought to all be covered by this verification
process. In order to keep the user from knowing who is asking a particular question, it is also
1 advised that encrypted questions be offered as an alternative. The PHP code in Appendix A
can be used to have users create strong passwords for their accounts (Mehtre ,2014).

VULNERABILITY 5

Adding data with SQL Injection

Low Medium

Impact Very High

FINDING

The username and password form fields on the login page


(https://vulnapp.com/login.php) were the target of a SQL injection attack. This
demonstrates how the attacker effectively assigns fictitious users..

Page 16 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 17 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 17 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 18 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 18 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 19 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 19 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 20 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 20 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 21 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

By applying validation techniques, SQL statement elements such as semicolons,


single quotes, and double dashes could be removed from the query. Additionally, a whitelist
could be created that would contain all the characters needed to filter each type of field
(Xynos, 2010). The application data that is sent to the SQL server could be separated from
user input using a parameterized query (OWASP, 2015).

VULNERABILITY 6

Path Traversal Attack

Low High

Impact probability

FINDING

Page 21 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 22 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

1 Through the upload of files, the web application URL was able to read the contents
of the non-referenced resource. Although they are visible through the test code in the
development directory, log information is contained in the log2 file in the temporary
directory.

Page 22 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 23 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 23 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 24 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

An easier technique to secure web application files and routes is to use


1 Apache's.htacces file. We must navigate to the Apache configuration file in a directory like
etc./HTTP/config, find the.htaccess file, and alter its option to Allow Override All in order to
2 limit which directories can be inserted in the.htacess file. By preventing file and directory
2 listing assaults, adding a.htaccess file to an HTML/www directory and inserting the code
8 below adds an extra degree of security. It is recommended to implement a user role policy
when allowing access to files or folders within the framework. Before allowing the user
access to any system resources, this policy should make sure they have been verified and
given authorization.

VULNERABILITY 7

Spoof an Authentication Cookie

Medium Medium

Impact probability

FINDING

The results showed that users can reuse the PHP session ID that is given to them at
1 each login till their next login. The figure below shows a successful log-in with cookies and a
1 specific account that was saved by intercepting the request using Burp Suite for the user
Admin (Aires Berbigão, 2019). The system successfully logged in without requiring any login
tokens when a page request was made using the same session ID that was kept in the Burp
2 Suite. This flaw results from the absence of a logout mechanism to reset the session variable
and thread-safety concurrency.

Page 24 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 25 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

RECOMMENDATION

When the user logs out, this session ID should become inactive, and a new one
should be generated at random for them when they log in again. Extreme complexity and
randomness should be used in the implementation of concatenating the user ID from the
database with the session ID (Owasp 2013). Similar to how they are mainly used to retrieve
user session cookies without the system's consent, the form fields have been protected
against XSS attacks.

Page 25 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 26 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

VULNERABILITY 8

Malicious Execution and PHP Reverse Shell

High Low

Impact probability

FINDING

We discovered and exploited a website that was susceptible to fraudulent file


uploads.The malicious file was supposed to replace the.jpeg
extensionwitha.phpextensioninordertogetaroundtheclient-sidefieldrestriction.Using Burp
Suite, the Themalicious file was converted from a JPEG to a PHP extension before being
1 uploaded to the system (Goel 2015). As may be seen below, the file was successfully posted
2 to the system uploads folder. Because of the Reverse Shell source code, an attacker can
remotely access the server's shell by using the PHP file. We added the IP address 10.0.2.10
and port number 4444 for the dvwa virtual machine network using the PHP file as shown
below so that we could access the shell. After that, we ran a malicious file from the DVWa
machine on the Metasploit computer.

Page 26 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 27 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

Page 27 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 28 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

The malicious code we created which was successfully uploaded and run.

RECOMMENDATION

Using server-side validation to block extensions that aren't permitted is one security
method that might be employed to thwart the attack. According to Reddy and Yalla (2016),
1 this would guard against evasion techniques that alter the file type as data is moving
through the system. By banning all extensions that are not allowed and whitelisting those
1 that are, this type of attack can also be reduced.Using an antivirus tool to verify the files
2 before uploading them to the database and using.htaccess to limit the directory in which
uploaded files are stored are two more essential fixes. A PHP serverside validation can be
2 used to stop extensions that aren't allowed, with a limit on the maximum and minimum
sizes of the accepted file types. Validation codes for filenames and type modifications may
also be included.

VULNERABILITIES ANALYZED

INJECTION

2 This is a procedure that uses the web application database layer by injecting SQL,
LDAP, OS, or HTML commands and concatenating them with a genuine query from the
client-side input parameter, cookie fields, or server variables (Saindane, 2020). There are
reports of SQL injection attacks occurring on web protocols like HTTP in addition to
webpages. According to Ghanem (2020), an attacker can use injections to get access to a
victim system and possibly query data.

EXPLANATIONS OF SQL INJECTION MECHANISMS

Page 28 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 29 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

2 Enter a single quote mark at the end of the input parameter or an empty field to see
if the system alerts the user to a database problem in order to test a form field's SQL
1 vulnerability. SQL injection attacks that start with the client inputs parameter affect the
2 backend database (Owasp 2014). When incorporated into the query language itself, the
1 code is a particular script that runs on the backend. Any code database or form field that
could be vulnerable to a SQL injection attack can be inferred from the error message. The
beginning and ending of string values are delimited in the MySQL language by a single
quotation (Scambray et al. 2011).

1 The remaining input strings of a parameter value can be escaped by using the double
hyphens operator, which specifies that characters outside of the designated value range will
1 be disregarded. The UNION and subquery SQL queries are also vulnerable to SQL Injection
2 Attacks (w3schools 2016). When code uses OR between text characters with a single
quotation between unique characters, like 1'OR'1'='1 in a form field, it alters how a WHERE
11 conditional statement runs. This is known as a SQL injection attack. The OR method
manipulates the value of the query by always keeping the AND statements' values real.
Batch statements, which allow instructions to be executed based on input parameters, are
enabled by some SQL Servers (Al Shebli, 2018).

CONCLUSION

7 The purpose of this penetration test was to evaluate the security measures in place
at DVWA's Web Application against unauthorized access to private information by both
internal and external attackers. It also sought to identify any vulnerabilities that would
endanger the company or its customers. Network security evaluations may be instructive,
but they don't necessarily show how much hackers would take advantage of flaws. Although
penetration testers try to mimic actual attacks, they frequently breach systems by taking
advantage of vulnerabilities. Because they only need to find one weakness to exploit,
hackers and intruders are frequently successful, but penetration testers may need to find
numerous weaknesses in the network.

To achieve our goals and evaluate the application's safety state, we employed both
manual and commercial scanning techniques. Because so many vulnerabilities have been
found and exploited, we rate the target application's security as extremely low. It is
recommended that the application undergo a quarterly vulnerability management
procedure. Sustain and enhance the process for a robust security stance. Use the
remediation and solutions in this document to minimize or eliminate network vulnerabilities
that could compromise security.

Page 29 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306


Page 30 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

REFERENCES
1. Al Shebli, H. M. Z., & Beheshti, B. D. 2018, May. A study on penetration testing
process and tools. In 2018 IEEE Long Island Systems, Applications and Technology
Conference (LISAT) (pp. 1-7). IEEE.
2. W3SCHOOLS, 2016-last update, SQL Injection. Available:
http://www.w3schools.com/sql/sql_injection.asp.
3. J.N. Goel “Vulnerability Assessment & Penetration Testing as a Cyber Defence
Technology” Conference Paper, 2015
4. Saindane, M. 2020 “Penetration Testing – A Systematic Approach,”
http://www.infosecwriters.com/text_resources/pdf/PenTest_MSaindane.pdf
5. Xynos, K., Sutherland, I., Read, H., Everitt, E., & Blyth, A. J. 2010 penetration
testing and vulnerability assessments: A professional approach.
6. Reddy, M. R., & Yalla, P. (2016, March). Mathematical analysis of Penetration
Testing and vulnerability countermeasures. In Engineering and Technology
(ICETECH), 2016 IEEE International Conference on (pp. 26-30). IEEE.
7. SCAMBRAY, J., LIU, V. and SIMA, C., 2011. Hacking exposed web applications: web
application security secrets and solutions. 3rd ed.. ed. New York; London: McGraw-
Hill.
8. Aires Berbigão, F. F. 2019. integration of intelligence techniques on the execution
of penetration tests (ipentest) (Doctoral dissertation).
9. Goel, J. N., & Mehtre, B. M. (2015). Vulnerability assessment & penetration
testing as a cyber defense technology. Procedia Computer Science, 57, 710-715.
10. Open Web Application Security Project, "Open Web Application Security Project,"
[Online]. Available: https://www.owasp.org/index.php/Main_Page.
11. OWASP, 21 August 2015, 2015a-last update. Available:
https://www.owasp.org/index.php/Top_10_2013-Top_10
12. OWASP, 12/8/2015, 2015b-last update, Cross-Site Request Forgery (CSRF)
Prevention Cheat Sheet. Available:
https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
13. Abu-Dabaseh, F., & Alshammari, E. 2018, April. Automated penetration testing: An
overview. In The 4th International Conference on Natural Language Computing,
Copenhagen, Denmark (pp. 121-129).
14. Al-Ahmad, A. S., Kahtan, H., Hujainah, F., & Jalab, H. A. 2019. Systematic literature
review on penetration testing for mobile cloud computing applications. IEEE
Access, 7, 173524-173540.

Page 30 of 30 - Integrity Submission Submission ID trn:oid:::3618:74513306

You might also like