BOOK UR SHOW PENETRATION TESTING REPORT V 1.

Vulnerability Assessment and Penetration Testing for Web Application BookUrShow

Methodology Summary
In order to perform a comprehensive Web Application Security Assessment, we would perform a
Vulnerability Assessment and Penetration Test according to the OWASP, SANS, NIST and OSSTMM
standards. Several procedures are to be performed to ensure that the vulnerabilities found in the Web
Application are identified and exploited. The following procedures would be carried out to achieve this
purpose

Reconnaissance and Mapping

Reconnaissance is the first step in a Vulnerability Assessment and/or Penetration Test. It is also the most
important process of the test. In this phase, our testing team shall perform active and passive
reconnaissance of the target system. In this phase, we manually navigate through the running application
to understand the basic functionality and workflow of the application. It is performed on an actual device
or within a simulator/emulator for a deeper understanding of application the proxy and sniffing of all
network traffic from either a physical Web device or an emulator/simulator recording and logging traffic
for further analyzing it to find vulnerabilities.

Page 1 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

Table of Contents
Contents
1

Executive Closure Summary ........................................................................................................................... 3

1.1

Security Assessment ................................................................................................................................ 3

1.2

Security Assessment ................................................................................................................................ 4

Detailed Technical Summary ........................................................................................................................... 5

2.1.1

CLEAR TEXT SUBMISSION OF PASSSWORD ....................................................................... 5

2.1.2

Cross site scripting (xss) ............................................................................................................ 6

2.1.3

BLIND SQL INJECTION ............................................................................................................. 8

2.1.4

ADMIN FUNCTIONALITY EXPOSED ...................................................................................... 10

2.1.5

DIRECTORY LISTING ............................................................................................................. 13

2.1.6

AUTHENTICATION BYPASS (BRUTE FORCE) ..................................................................... 14

2.1.7

WEAK PASSWORD POLICY ................................................................................................... 15

2.1.8

FORGOT PASSWORD MECHANISAM IS NOT IMPLEMENTED .......................................... 16

Page 2 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

1 Executive Closure Summary

The following table summarizes the findings and overall risks identified during the security testing. For details,
refer to section Detailed Technical Findings.

1.1

Security Assessment

Total of 08 risks were identified during the test.

HIGH
04

Vulnerabilities Identified
MEDIUM
03

Page 3 of 16

LOW
01

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

Graphical Representation of Vulnerabilities

1.2

Security Assessment

The below graph shows the total number of vulnerabilities discovered for High and Medium severity levels
lev
during current security assessments:

NUMBER OF VULNERABILITIES IDENTIFIED

4
3

4
3
High

Medium
1

Low

1
0

Current Assessment

Page 4 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2 Detailed Technical Summary

2.1.1 CLEAR TEXT SUBMISSION OF PASSSWORD
Abstract Any web page containing sensitive information should transit the information in a secured
way. Book Ur Show login page shows the transit in the form of plane text.
Severity
High
The attackers can use any sniffing tool such as Wireshark, Cain&Abel to steal the credentials,
Impact
since the passwords will be sent in Plain text.
POC

Recommendation : Move all of the critical forms and pages to HTTPS and do not serve them over HTTP.

Page 5 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.2 Cross site scripting (xss)

Abstract

Severity

Cross site scripting, better known as XSS, is in fact a subset of HTML

injection. XSS is the most prevalent and pernicious web application security
issue. XSS flaws occur whenever an application takes data that originated from
a user and sends it to a web browser without first validating or encoding that
content. XSS allows attackers to execute script in the victims browser, which
can hijack user sessions, deface web sites, insert hostile content, conduct
phishing attacks, and take over the users browser using scripting malware.
The malicious script is usually JavaScript, but any scripting language
supported by the victims browser is a potential target for this attack.
The most common web application security weakness is the failure to properly
validate input from the client or environment. This weakness leads to almost
all of the major vulnerabilities in applications, such as injection attacks,
interpreter injection, locale/Unicode attacks, file system attacks and buffer
overflows.
High
Exploited XSS is commonly used to achieve the following malicious results:
Identity theft
Redirection to the malicious websites
Accessing sensitive or restricted information
Spying on users web browsing habits

POC

Page 6 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

Recommendation

Input Validation:
It is recommended to use a standard server as well as client side input
validation mechanism to validate all input data for length, type, syntax,
and business rules before accepting the data to be stored.
Output Encoding:
It is recommended that all user-supplied data is appropriately entity
encoded (either HTML or XML depending on the output mechanism)
before rendered on HTML Page. For PHP, htmlentities() or
htmlspecialcharacters() functions can be used to avoid cross site scripting.

Page 7 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.3 BLIND SQL INJECTION

Abstract SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries
in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their
input appears and interfere with the structure of the surrounding query
Severity
High
Blind SQL Injection is based on true & false input. If input is true server will give response according to
Impact
that and if false according to that. Malicious user can have un-authorized access via inserting true
conditions through SQL commands.
POC

Page 8 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

Recommendation: Proper input validation is required. Use html entities in order to ban special
Characters given by an attacker

Page 9 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.4 ADMIN FUNCTIONALITY EXPOSED

Abstract

Site crawlers can be used or one can spider the host/target to know sensitive information like
configuration settings, hidden urls, confidential documents etc. In the process of extracting sensitive
information malicious user can obtain information about admin related files as well.

Severity
Impact

High
At the time of crawling attacker can gain a list of various php files lying on the server. One of them is
deletecity.php. To delete any citys name from the database is the function of this file. This is admin level
functionality

Page 10 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

POC

Page 11 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

Recommendation: Move all of the critical forms and pages to HTTPS and do not serve them over HTTP.

Page 12 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.5 DIRECTORY LISTING

Abstract An attacker can get to know the list of directories and the files in it by checking the improper
permissions on the url by parsing through the url files
Severity
Medium
A directory Listing consists in exploiting insufficient security validation / sanitization of user-supplied
Impact
input file names, so that characters representing "traverse to parent directory" are passed through to the
file APIs.
POC

Recommendation: Implement proper access controls over the urls so that an attacker cannot parse
through the urls to get the sensitive information

Page 13 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.6 AUTHENTICATION BYPASS (BRUTE FORCE)

Abstract An attacker can bypass the privileges by performing a brute force , dictionary, syllable and hybrid methods
to gain unauthorized access to the web page.
Severity
Medium
An issue exists in BookUrShow Application that could allow an unauthorized user to brute force the
Impact
password of user accounts when Web Publishing is enabled.
POC

Recommendation:

1. Ensure that users follow proper password policies such as using hard to guess passwords.
2. HTTP basic authentication is generally not considered a secure mechanism and should be run over
a SSL-enabled port

Page 14 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.7 WEAK PASSWORD POLICY

Abstract One should use strong password policies to harden the strength and should increase the password
characters minimum to 16 so as to protect it from any brute force mechanism. Passwords can be cracked
easily if given time and resources with a high capacity. If the password strength is less than it can easily
lead to expose the sensitive details of the users up on cracking them.
Severity
Medium
It was found in change password options that the application accepting single character password so
Impact
attacker can easily break the password.

POC

Recommendation:
1. Password length should be minimum 8 characters.
2. Password characters should be a combination of alphanumeric characters.

Page 15 of 16

BOOK UR SHOW PENETRATION TESTING REPORT V 1.0

2.1.8 FORGOT PASSWORD MECHANISAM IS NOT IMPLEMENTED

Developers frequently build custom authentication schemes, but implementing them
is hard. As aresult, these custem schemes frequently have flaws.
Severity
Low
Implement forgot password mechanism.
Impact
Recommendation: Implement forgot password mechanism.
Abstract

Page 16 of 16