Peter Wambua / My First Pentest Report

Created Mon, 06 Mar 2023 01:29:45 -0400
1127 Words

For the last project of the penetration test course with Parker Daudt, I needed to do a vulnerability assessment on OWASP JUICE SHOP and write a penetration testing report. I was able to find and exploit several vulnerabilities including SQL injection, XSS and Sensitive Data Exposure. I loved the experience and this is what I came up with:

capstone.iscollective.org Penetration Testing Report

Confidentiality Statement

This document is a confidential document owned by Wambua Penetration Testing Company. It contains confidential information which is only to be shared iscollective organization to disclose the security faults found in their web application following a security assessment that was done.

Contact Information

iscollective organization:

Name Position Contact Information
Parker Daudt Chief Information
Security Officer

parkerciso.iscollective@
gmail.com
+ 22 456 293 336
Peter Smith IT manager smithpeters.iscollective
@gmail.com
+ 67 352 292 442

Wambua Penetration Testing Company:

Name Position Contact Information
Peter Wambua Lead Pen Tester peterwambua@gmail.com
+ 254 714873030
James Masara Pen Tester masarajames@gmail.com
+ 254 742438721

Assessment Overview

As from 2 nd March 2023 to 15 th March 2023 , iscollective involved Wambua Penetration Testing Company in a penetration Test to assess the security of their web application,https://capstone.iscollective.org/#/, find vulnerabilities, report the vulnerabilities and then recommend necessary actions. Wambua company carefully tested the website in accordance with the OWASP Top 10 to ensure enough security was applied.

The following steps were carried out by the company:

  1. Planning - A plan was drawn which was how the assessment would take place. Customer needs were gathered and rules of engagement taken.
  2. Discovery - Scanning and enumeration were done to check out vulnerabilities that may be present.
  3. Engagement - The penetration testing team exploited any weak faults and vulnerabilities they found on the website.
  4. Report - A penetration report was written that highlights the vulnerabilities existing on the website, and how to repair these.

In-scope

https://capstone.iscollective.org/#/

All subdomains included

Out-of-scope

None

Executive Summary

The purpose of this penetration test was to evaluate the security of the web application hosted on the target system and identify any vulnerabilities that could be exploited by an attacker. The testing was conducted over a period of two weeks from March 2 , 2023 , to March 15 , 2023. The scope of the testing was limited to the web application hosted on the target system.

The testing identified several high-risk and critical vulnerabilities that could lead to unauthorized access to sensitive data, compromise the integrity of the system, and impact the availability of the web application. We recommend that the organization takes immediate action to address these vulnerabilities and improve its overall security posture.

Testing Methodology

The testing was done through a combination of various techniques, both manual and automated. These included:

  1. Automated scanners - These were used to identify hidden directories.
  2. Vulnerability scanners - Nessus scanner was used to identify vulnerabilities
  3. Manual PenTesting - Most of the testing was done manually testing various elements of the application

The testing methodology was designed to simulate a real-world attack on the web application, with a focus on the OWASP Top 10 vulnerabilities that can be exploited by an attacker.

Findings

The following vulnerabilities were found to be present:

Critical:

  1. SQL injection The login page was found to be vulnerable to both Error based and blind SQL injection. With an interception of burp suite, credentialsadmin’ : adminwere used. This throws an error exposing the SQL statement used to query these credentials. 
An SQL injection payload was crafted from this error message:
SELECT * FROM Users WHERE email = 'admin' OR 1 = 1 ;--
So the credentialsadmin' OR 1 = 1 ;:adminloginsin as an admin user.
  1. Cross-Site Scripting
The search feature on the home page was found to be vulnerable to
Reflected XSS.
The developers did a good job to sanitize ‘/’, so a payload like
<script>alert(XSS!)</script> doesn’t work

Trying one without the /,
<img src =q onerror=prompt( 8 )> ,
<iframe src="javascript:alert(`xss`)">
These work fine.

XSS brings a huge issue to the website security as it may cause disclosure of the user’s session cookie allowing the attacker to hijack the user’s session and completely take over the account.

  1. Sensitive data exposure i) Since we know the admin’s email,admin@juice-sh.op,we try the forgot password feature. On entering the email, it displays the security question. This is bad since through osint, you can easily find this information.

ii) After registering a user, the response showed information we did not specify, a field,“role” : “cutomer”.

This hinted to the security team how to register a user with admin privileges Inserting"role" : “admin"in the request registereda privileged user.

High risk:

  1. Broken authentication. The application was found to have a weak password policy. With the admin’s email, try some common passwords like admin, admin 123 , password, password 123 , 12345678 , qwertyuiop. The password admin 123 works! This is bad practice.
The application was noted to allow password spraying. It did not block
multiple attempts of requests from the same client. This led to a
brute-forcing attack.
  1. Session hijacking The website was found to be vulnerable to session hijacking. A user with the credentialswhoami@gmail.com : whoamiwas created Since we are logged as admin, grab the admin’s cookie. 
The user whoami’s cookie was replaced with the admin's cookie. This led
to taking over of the admin’s account

Remediation

Based on the findings of the penetration test, we recommend the following actions to improve the security posture of the web application: i) Implement input validation to avoid trusting any direct input from users. This will lead to the prevention of SQL injection. ii) Implement output encoding before the output is returned to the user. Also, validate all the input data, and make sure that only the allow-listed data is allowed. These practices will mitigate cross-site scripting. iii) Make sure to identify, filter, and classify client data. Encrypt or eliminate sensitive data from APIs to avoid exposing it. Avoid storing no-essential data and encrypting data at rest. These practices will mitigate sensitive data exposure. iv) Implement a strong password policy to prevent easy access to clients’ accounts. Set a maximum number of requests that can be made by a client to the application in a certain range of time. This will help stop brute-force attacks. v) Implement secure session management to prevent session hijacking attacks.

Conclusion

The penetration test identified several critical and high-risk vulnerabilities in the web application, which if left unaddressed, could lead to unauthorized access to sensitive data and compromise the overall security of the organization. We recommend that the organization takes immediate action to address these vulnerabilities and implement the recommendations provided in this report. Regular penetration testing and vulnerability assessments should be conducted to maintain the security of the web application and ensure that it remains protected against new and emerging threats.