PENETRATION TESTING REPORT :-

TARGET :- https://cetrenoinfotech.net/

TOOLS USED – BURPSUITE

Contents:-

1. Cryptographic Failures :-
2. LACK OF RESOURCES & No rate limiting (Multiple Login Attempt allowed)
3. Email Spoofing & Headers Missing.(No use of spf)
4. HTML INJECTION
5. SQL Injection
6. CSRF Cross site request Forgery / Account take Over
7. Broken Access control / Idor (Insecure Direct Object Reference)
8. Clickjacking
9. Cross site scripting xss – reflected
10. Session Cookie Without HttpOnly Flag
 1. CRYPTOGRAPHIC FAILURES :
If someone links their target https://cetrenoinfotech.net/ then if they click
"sign in" their credentials are transmitted in plaintext as there is no https
redirect or enforcing of https on the login form. No Encryption Mechanism
is used.

Severity Level :- High

POCs :-

REQUEST CAPTURED:-

Information Going in the Plain text.

Impact :-
An attacker can intercept the traffic and can steal the login credentials by using the proxy or
staying in same wifi and by sniffing the network. Attacker can also use the sniffing tools such
as wireshark and can sniff the network traffic to steal the Credentials .
Mitigation :-

 To mitigate cryptographic failures, use strong encryption keys, follow secure coding
practices, and conduct regular penetration testing.

 Businesses must assess and improve their cryptography implementations to prevent

vulnerabilities.
 2. LACK OF RESOURCES & No rate limiting (Multiple Login
Attempt allowed)

Summary:
A rate limiting algorithm is used to check if the user session (or IP-
address) has to be limited based on the information in the session
cache. In case a client made too many requests within a given time
frame, HTTP-Servers can respond with status code 429: Too Many
Requests.

SEVERITY- HIGH

IMPACT :-
If there is no rate limit the Attackers can guess the username and password and can perform
the bruteforce attack using the wordlists to get the username and password . The
attacker can easily takeover to the victim's account using this method.
It can also lead to Brute force Attacks , Dos and DDOS Attacks.

Mitigation :-
As a best practice the site should be implemented with some ratelimit functionalities like
after 5 or 10 wrong login attempts the server should block the ip address and should
respond with status code 429 "Too Many Requests".
3. Email Spoofing & Headers Missing.(No use of spf)

Severity : High

Tools used :-
Securityheaders.com – for checking the security headers of the email.
Ekmei - For sending the spoof email.

Summary:-
An attacker can spoof the email address and send to any
victim without having the credentials of the email id.

Pocs:-

Step1- Check for the security Headers

Step 2-
Security headers are missing No spf found in the headers.
 Step 3 –

Send the Fake email to any victim from the Company’s email as there were no
security Mechanism in the email headers .

Step 4 – Send the email to the Victim By clicking on Send .

Step 5-

As you can see that we have received the email from the ShieldByte Original email id.

Without Having the email credentials an attacker can send the email to anybody by using the
email id of the Company as there were no security Headers.

Impact :-
1. Without Having the email credentials an attacker can send the email to anybody by
using the email id of the Company as there were no security Headers.
2. IT CAN BE USED TO STEAL USER DATA AND FAKE PAYMENT AND COSTUMERS
Mitigation :-
DMARC Policy Not Enabled-This Warning indicates that the DMARC record for this domain is
not currently protected against phishing and spoofing threats. To resolve this Warning you
will need to set a Quarantine or Reject policy on the domain's DMARC record. Setting a
Quarantine or Reject value will prevent fraudsters from spoofing the domain as mail servers
will Quarantine or Reject messages that fail authentication tests.
4. HTML INJECTION
Summary :-
HTML injection is a type of attack where malicious HTML code is inserted into a website. This
can lead to a variety of issues, from minor website defacement to serious data breaches.
Unlike other web vulnerabilities, HTML injection targets the markup language that forms the
backbone of most websites.
Severity : High

Pocs:-
Script injected :-

https://cetrenoinfotech.net/login.php?type=%3C%22fcxzmr%20%3E%20Hacked

Figure 4.1-
Figure 4.2:-

Impact :-
An HTML injection allows the attacker to send a malicious HTML page to a victim. The
targeted website will not be able to distinguish (trust) legitimate parts from malicious parts
of the page, and consequently will parse and execute the html code in the victim's context.

Mitigation :-
To mitigate HTML injection vulnerabilities, prioritize input validation, output encoding, and
use of security best practices. Specifically, validate all user input to ensure it conforms to
expected formats and types, encode data before displaying it to prevent interpretation as
code, and consider using Content Security Policies (CSP) and web application firewalls
(WAFs) as additional layers of defense
 5.SQL Injection
Time Based Sql Injection :-
Vulnerable Field :- https://cetrenoinfotech.net/update_student_profile.php in the Address
Field.

Summary :-
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed. This
information may include any number of items, including sensitive company data, user lists or private
customer details.

SEVERITY :- HIGH
Payload used :-
'+(select*from(select(sleep(20)))a)+'

This is a time-based blind SQL injection payload.

Pocs:-
The address field took 20 seconds to load after injecting the payload.
Impact :-

A wide range of damaging attacks can often be delivered via SQL injection, including
reading or modifying critical application data, interfering with application logic, escalating
privileges within the database and taking control of the database server.

Mitigation :-
1. Use Prepared Statements and Parameterized Queries
Prepared statements and parameterized queries ensure that user inputs are
treated as data rather than part of the SQL query. This approach eliminates the
risk of SQL injection.
2. Employ Stored Procedures
Stored procedures are predefined SQL queries stored in the database. These
procedures can help prevent SQL injection because they don't dynamically
construct SQL queries.
3.Input Validation
When user input is not thoroughly checked, attackers can manipulate it by
entering unexpected or malicious data. This can bypass security measures and
lead to code execution vulnerabilities or unauthorized system access.
6.CSRF Cross site request Forgery / Account take Over –
Vulnerable Field :- https://cetrenoinfotech.net/change_password.php
SEVERITY :- HIGH
Summary :-
Cross-site request forgery (also known as CSRF) is a web security vulnerability that
allows an attacker to induce users to perform actions that they do not intend to perform. It allows an
attacker to partly circumvent the same origin policy, which is designed to prevent different websites
from interfering with each other.

POCs:-

Figure 6.1 – Change the password

Figure 6.2 – Password Changed Successfully.

 Figure 6.3 Now login with the new password

Figure 6.4 Now generate the csrf poc

Figure 6.5 Copy the csrf poc and edit it.

Change the password in your notepad from Shivam@123 to Shivam@111

Figure 6.6 Edit the password value to Shivam@111 and save it as the html file.

Figure 6.7 open it in a browser and submit the request .

As you can see that I am able to change the password of the victim just by sending the link

Figure 6.8 As you can see that Password is changed successfully.

Figure 6.9
Impact :-
An attacker is able to login in to the user account without knowing the password and attacker is able
to change the password of the user account by using csrf .

Mitigation of the Csrf:-

Use CSRF tokens

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant

requests. The token must meet the following criteria:

 Unpredictable with high entropy, as for session tokens in general.

 Tied to the user's session.

 Strictly validated in every case before the relevant action is executed.

7 . Broken Access control / Idor (Insecure Direct Object Reference)

Vulnerable Field :- http://cetrenoinfotech.net/edit_interestarea.php?id=11

Summary :

An mentor is able to edit the interest area of the user and by changing the id he can change the
multiple interest area’s of the user.

OWASP Category: A01 - Broken Access Control

Pocs :

As you can see that this is an mentor account and he is able to edit the interest area of the normal
user.

Figure 7.1

Impact :-
Data Breaches: When a company has broken access controls it's easy for an attacker to steal
company data.

 You're changing data (interest area) that does not belong to you (mentor editing
student fields).
 The system uses a direct object reference (id=8) in the URL.
 There is no proper authorization check on the backend to ensure Adrian (mentor)
has access rights to modify this student's data.
 You can manipulate id in the URL to access or modify other users’ information.
Mitigation :-
1. Robust Input Validation and Sanitization

Thoroughly validate and sanitize all user-supplied input to prevent malicious data from infiltrating
your application. This includes data from forms, URL parameters, and other sources. By carefully
examining and filtering input, you can mitigate the risk of injection attacks and other vulnerabilities
that can lead to broken access control.

2. Enforce the Principle of Least Privilege

Grant users only the minimum permissions necessary to perform their tasks. This principle helps to
limit the potential damage if an account is compromised. By restricting access to sensitive data and
functionalities, you reduce the attack surface and make it more difficult for attackers to escalate
their privileges.

3. Prevent Code Injection

Implement robust measures to protect your application from code injection attacks, such as SQL
injection and cross-site scripting (XSS). These attacks can be used to bypass access controls and
execute malicious code. By employing techniques like parameterized queries, input validation, and
output encoding, you can significantly reduce the risk of code injection vulnerabilities.
8. Clickjacking
SEVERITY : HIGH

Summary :-
To load one website into the another website is known as the clickjacking

So an attacker can do the malicious activity by using the clickjacking and can make the victim to click
on sensitive buttons which can leak the sensitive details.

Figure 8.1

Figure 8.2

Impact :-

If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP

header, it might be possible for a page controlled by an attacker to load it within an iframe.
This may enable a clickjacking attack, in which the attacker's page overlays the target
application's interface with a different interface provided by the attacker. By inducing victim
users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to
unwittingly carry out actions within the application that is being targeted. This technique
allows the attacker to circumvent defenses against cross-site request forgery, and may result
in unauthorized actions.

Mitigation :-

To effectively prevent framing attacks, the application should return a response header with
the name X-Frame-Options and the value DENY to prevent framing altogether, or the value
SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
Note that the SAMEORIGIN header can be partially bypassed if the application itself can be
made to frame untrusted websites.
9. Cross Site Scripting -XSS (REFLECTED XSS)
SEVERITY :HIGH

Figure 9.1

Figure 9.2

Impact :-

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and
echoed into the application's immediate response in an unsafe way. An attacker can use the
vulnerability to construct a request that, if issued by another application user, will cause
JavaScript code supplied by the attacker to execute within the user's browser in the context of
that user's session with the application.

Mitigation:-
 Input should be validated as strictly as possible on arrival, given the kind of content
that it is expected to contain. For example, personal names should consist of
alphabetical and a small range of typographical characters, and be relatively short; a
year of birth should consist of exactly four numerals; email addresses should match a
well-defined regular expression. Input which fails the validation should be rejected,
not sanitized.
 10.Session Cookie Without HttpOnly Flag

Type: Insecure Cookie Attribute

Severity: High
Impact: Session hijacking via JavaScript (XSS vector)

Description:

The session identifier PHPSESSID is accessible via document.cookie, which indicates the
HttpOnly flag is not set. This makes it possible for an attacker to steal the session token
through a Cross-Site Scripting (XSS) vulnerability, if present.

🧪 Proof of Concept:

1. Open the browser's developer console.

2. Run:

console.log(document.cookie);

3. Output:

PHPSESSID=535bce62150dc4f6e40e226848fb28dd

Recommended Fix:

Set the HttpOnly flag for all sensitive cookies like session IDs:

setcookie("PHPSESSID", session_id(), [
"httponly" => true,
"secure" => true,
"samesite" => "Strict" ]);