KiwiQA Services Engage

Experience
Excel

Web Application VAPT Report

for

10th March, 2017

1 KiwiQA Services - Confidential

 SCOPE OF TEST

Name of the Organization Nava Finance

Name of the Application Navaloans web application
Scope of Service Penetration Testing
Duration of Test 7 work days

PROJECT TEAM POINT OF CONTACT

Name Security Team - KiwiQA

Email ID security@kiwiqa.com
Document Approved by Niranjan Limbachiya
Email ID Niranjan.limbachiya@kiwiqa.com

CLIENT POINT OF CONTACT

Document Recipient Name Mukesh Patel

Email ID

DOCUMENT HISTORY

Date Version Author Comments

10th March 2017 1.0 Joseph -

2 KiwiQA Services - Confidential

Table of Contents
INTRODUCTION ................................................................................................................................................. 5

FOCUS & OBJECTIVE .......................................................................................................................................... 5

TERMINOLOGY AND SCORE............................................................................................................................... 5

Information Gathering................................................................................................................................... 6

Website Information ..................................................................................................................................... 6

WEB APPLICATION VULNERABILITIES................................................................................................................ 7

Classification by impact severity ................................................................................................................... 7

VULNERABILITY DETAIL AND MITIGATION ........................................................................................................ 8

Vulnerability #1: E-mail Bombing and Spamming ......................................................................................... 8

Vulnerability #2: Clickjacking ......................................................................................................................... 8

Vulnerability #3: Session Cookie without Secure Flag ................................................................................ 10

Vulnerability #4: Server/OS Information Leakage ....................................................................................... 11

Vulnerability #5: Missing Security Headers ................................................................................................. 11

Vulnerability #6: Password Field with Auto-Complete Enabled.................................................................. 12

EXPLOIT VECTORS TESTED ............................................................................................................................... 14

Test #A1: Injection Attacks .......................................................................................................................... 14

Test #A2: Broken Authentication and Session Management...................................................................... 14

Test #A3: Cross Site Scripting (XSS) ............................................................................................................. 16

Test #A4: Insecure Direct Object Reference ............................................................................................... 16

Test #A5: Security Misconfiguration ........................................................................................................... 17

Test #A6: Sensitive Data Exposure .............................................................................................................. 17

Test #A7: Missing Functional Level Access Control ..................................................................................... 17

Test #A8: Cross Site Request Forgery .......................................................................................................... 17

Test #A9: Using Components with known Vulnerabilities .......................................................................... 18

3 KiwiQA Services - Confidential

 Test #A10: Unvalidated Redirects and Forwards ........................................................................................ 18

Test #11: Information Gathering ................................................................................................................. 18

Test #12: Configuration and Deployment Management Testing ................................................................ 18

Test #13: Identity Management Testing ..................................................................................................... 20

Test #14: Cryptography ............................................................................................................................... 22

Test #15: Business Logic .............................................................................................................................. 23

Test #16: Client Side Testing ....................................................................................................................... 23

CONCLUSION ................................................................................................................................................... 25

4 KiwiQA Services - Confidential

INTRODUCTION
Security assessment is a process that enables an understanding of threats for better defence.
Penetration testing simulates methods that intruders adopt to gain unauthorized access to an
organization’s network systems, proceeding to compromise them. Most attackers follow conventional
approaches to attempt a penetration.

Our security testing components focus on high-severity vulnerabilities and strive to unearth
application-level security issues to help provide valuable insights to development teams.

FOCUS & OBJECTIVE

To find potential vulnerabilities latent in web application interfaces and implement a simulated exploit
to assess the possibilities of compromise, cover all attack vectors and trace the attack surface.

The core intent of running a VAPT test on the target web applications is to evaluate the ease of gaining
unauthorized access to the system by using different types of real-world exploits and common attack
patterns to access the network or data. The exercise offers visibility into the possible impact of the flaw
on the underlying network, operating system, database etc. using many methods a malicious hacker
would attempt.

TERMINOLOGY AND SCORE

CVE is a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index
point for evaluating coverage of tools and services. Information security "vulnerability" is a mistake in
software application, configuration or operating system that can be directly used by a hacker to gain access
to a system or network.

Vulnerability-A weakness which allows a hacker to break into / compromise a systems

security Exploit - code which allows an attacker to take advantage of a vulnerable system
Payload - actual code which runs on the system after exploitation

5 KiwiQA Services - Confidential

 CVSS score Severity in Description
range advisory
Issues that allow an attacker to run executable code of their choice on the
machine, with ease, and without assistance from the user.
8.0 – 10.0 Critical
Impact: All services completely lost and no workaround is immediately
available. Mission critical data associated with the appliance is disclosed
or corrupted.
Issues that allow an attacker to run executable code of their choice on the
machine, with great difficulty, or requiring significant user interaction.
6.0 – 7.9 High Impact: Major functionality of the appliance is severely impaired.
Operations can continue in a restricted fashion, although long-term
productivity might be adversely affected. Extensive loss or corruption of
critical data.
Issues that require an attacker to reside on the same local network as the
3.0 – 5.9 Medium victim.

Impact: Affect only non-standard configurations or obscure applications

Vulnerabilities in the low range typically have very little impact on an
organization’s business. Exploitation of such vulnerabilities usually
0.0 – 2.9 Low requires local or physical system access.

Impact: Privacy leaks on non-confidential data, such as dates visited,

cached files, visited history, etc.

Information Gathering
Site https://integration.navaloans.com
Domain navaloans.com
IP Address 52.49.68.117
Netblock Owner Amazon Data Services Ireland Limited
Domain registrar amazon.com
DNS Admin awsdns-hostmaster@amazon.com
Organization Whois Privacy Service, P.O. Box 81226, Seattle, 98108-1226, United
States
Hosting Country ie

Website Information
OS guessed Unix
Server Apache/2.4.25
Application Framework JSP

6 KiwiQA Services - Confidential

WEB APPLICATION VULNERABILITIES
Classification by impact severity

Low: 33.33% Medium

Medium: 66.67% Low

Severity Vulnerability identified Assessed Impacts

Medium Email Bombing and Spamming Spamming of User inbox, system
crashes, failure of service
Medium Clickjacking User action manipulation, theft
of sensitive user inputs.
Medium Missing Cookie Attributes Disclosure of sensitive
information
Medium Information Disclosure Unintentional data leakage
Low Missing Security Headers Information theft
Low Password Field with Autocomplete feature Enabled Unauthorized user information
disclosure

7 KiwiQA Services - Confidential

VULNERABILITY DETAIL AND MITIGATION
Vulnerability #1: E-mail Bombing and Spamming
Vulnerability Details Email Bombing and Spamming of valid user accounts

Description The vulnerability allows spamming of an email message to a particular user email
address registered on a specific victim site. Such messages are commonly large and
constructed from unintelligible data in an effort to consume additional system and
network resources required for processing them. Also, hundreds or thousands of
accounts on the target site may be simultaneously victimized in an Email Spamming
attack, increasing the denial of service severity on the target site’s servers. Email
spamming can be made worse if recipients reply to the email, causing all the
original addressees to receive the reply.

Severity Medium

Impact An attacker can use the mail server to bomb and spam your user’s inbox by brute-
forcing the ‘forgot password’ functionality.

Business Impact Loss of reputation.

Recommendation Invalidate Anti-CSRF token after a single use and use new one for the next – even
for unauthenticated users.

(or)

Restrict maximum number of emails sent to a specific user per hour. After sending
more than 5 ‘forgot password’ emails, there should be throttling of the particular
user’s email ID / IP address.

Proof of Concept:

Vulnerability #2: Clickjacking

Vulnerability Details X-Frame-Options header missing.

CVE / CWE Reference CWE-693

8 KiwiQA Services - Confidential

 Description Clickjacking (aka User Interface redress attack, UI redress attack, UI redressing) can
be used to trick a Web user into clicking on something different from what the user
perceives they are clicking on, thereby stealing sensitive information which could
also lead to taking-over of their computer while clicking on seemingly harmless web
pages. A web application can be misused in a Clickjacking attack if it allows an
attacker to load its webpages on an iframe overlay to masquerade a malicious
webpage aligned in such a manner that, for instance, the login button on a safe
webpage lines up over a “click here to win $1 million” button on the concealed,
infected website. In this case, the server did not return an X-Frame-Options header
which means that this website could be used to launch a Clickjacking attack.

Effects Manipulation of user actions; data and identity theft. Affected areas: All pages
where clicks can manipulate data e.g. delete users in admin role in user
management portal.

Severity Medium

Impact Manipulation of user controls/input and leakage of sensitive user information.

Recommendation Configure your web server to include an X-Frame-Options header. Consult Web
references for more information about the possible values for this header.

Proof of Concept:

9 KiwiQA Services - Confidential

Vulnerability #3: Session Cookie without Secure Flag
Vulnerability Details Secure flag not set

CVE / CWE Reference CVE-2008-4122

Description When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security
protection for session cookies.

The cookie appears to contain a session token, which may increase the risk
associated with this issue.

The cookie in the screenshot does not have a secure flag set.As a result, the session
cookie will be sent in unencrypted http channels.

Effects User data confidentiality. Unauthorized parties can steal or modify an authenticated
user’s cookies and read sensitive information stored for use in identity theft and
impersonation attacks.

Severity Medium

Impact The cookie (typically your session cookie) becomes vulnerable to theft or
manipulation by malicious script.

Recommendation Review the contents of cookies to determine their functions. Set Secure flag for
session cookies carrying sensitive information.

Proof of Concept:

10 KiwiQA Services - Confidential

Vulnerability #4: Server/OS Information Leakage
Vulnerability Details Unintended information leakage through server response headers
Information such as technology used, its version, OS details and version are
Description
returned in server response headers.
Effects Targeted attacks are possible because of the leakage of such information.
Severity Medium
Technical Impact Exposure of sensitive information aiding reconnaissance.
Business Impact Security Best Practice Violation.
X-Powered-By header can have a “deception value” rather than the actual
Recommendation
technologies that are being used.

Proof of Concept:

Vulnerability #5: Missing Security Headers

Vulnerability Details Security headers are missing in the response from server
Description There are few security headers which are recommended as a best practice.
These headers can help prevent certain attacks like cookie stealing, XSS,
clickjacking etc.
Severity Low
Effects Missing Best Practice
Technical Impact Cookie stealing, XSS, Clickjacking attacks

11 KiwiQA Services - Confidential

 Business Impact Losing user confidentiality on data integration

Recommendation It is a best practice case to implement security headers like X-Frame-Options:

SAMEORIGIN, X-XSS-Protection: 1; mode=block, X-Content-Type-Options:
nosniff, Content-Type: text/html; charset=utf-8, Strict-Transport-Security etc

Vulnerability #6: Password Field with Auto-Complete Enabled

Vulnerability Details
CVE / CWE Reference
Description
Auto-complete is enabled in username, password fields by default
CWE-200
The Login form contains passwords for which the browser auto-complete
feature is enabled. Auto-complete stores completed form field entries
(usernames, passwords, contact information) locally in the browser, so
that these fields are filled automatically when the user visits the site again.
When a new name and password is entered in a form and the form is
submitted, the browser asks if the password should be saved. Thereafter
when the form is displayed, the name and password are filled in
automatically or are listed as suggestions as the user types.

Severity Low
Impact Sensitive data and passwords can be stolen if the user's system is
compromised.
Recommendation The password auto-complete should be disabled in forms collecting
sensitive user input.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
However, the form auto-complete is a non-standard, browser-side feature
that each browser handles differently. Opera, for example, disregards the
feature, requiring the user to enter credentials for each Web site visit.

12 KiwiQA Services - Confidential

Proof of Concept

13 KiwiQA
Services - Confidential
EXPLOIT VECTORS TESTED

Following are the details pertaining to the common attack scenarios which were simulated for the
application. This section also includes a definitive list of exploit vectors that were tested and the
corresponding security posture of the application.

Test #A1: Injection Attacks

Test Details Injection attacks
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attacker’s hostile data
Description can trick the interpreter into executing unintended commands or accessing data
without proper authorization.

Result Pass

Test #A2: Broken Authentication and Session Management

Vulnerability Details Authentication and Authorization issues
Description Application functions related to authentication and session management are often
not implemented correctly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities.
Scenarios Tested Testing for Credentials Transported Pass (Proof of Concept A2.1)
over an Encrypted Channel

Testing for default credentials Pass

Testing for Weak lock out Pass

mechanism

Testing for bypassing Pass

authentication schema

Test remember password Pass

functionality

Testing for Browser cache Pass

weakness
After logout browser caches is cleared

Testing for Weak password policy Pass (Proof of Concept A2.2)

14 KiwiQA Services - Confidential

 Testing for Weak security Pass
question/answer
Not Applicable

Testing for weak password change Pass (Proof of Concept A2.3)

or reset functionalities

Testing for Weaker authentication Pass

in alternative channel

Directory Traversal Pass

bypassing authorization schema Pass

Privilege Escalation Pass

Insecure Direct Object References Pass

Testing for Bypassing Session Pass

Management Schema

Testing for Cookies attributes Fail (Vulnerability #3)

Testing for Session Fixation Pass

Session-id before and after login are different

Testing for Exposed Session Testing for logout functionality

Variables

Proof of Concept A2.1:

Credentials transported in SSL

15 KiwiQA Services - Confidential

Proof of Concept A2.2:

Password needs to be 8 characters with atleast one non-alphabet

Proof of Concept A2.3:

The token is tested for randomness, reusability and had passed against each

Test #A3: Cross Site Scripting (XSS)

Vulnerability Details Cross Site Scripting – Reflected, Stored, Dom
Description XSS flaws occur whenever an application takes untrusted data and sends it to a web
browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.
Result Pass

Test #A4: Insecure Direct Object Reference

Vulnerability Details Insecure Direct Object References
CVE / CWE Reference CWE-813

16 KiwiQA Services - Confidential

Description Insecure Direct Object References occur when an application provides direct
access to objects based on user-supplied input. As a result of this vulnerability
attackers can bypass authorization and access resources in the system directly, for
example database records or files.
Result Pass

Test #A5: Security Misconfiguration

Vulnerability Details Default configurations set in frameworks
Description Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and
platform. Secure settings should be defined, implemented, and maintained, as
defaults are often insecure. Additionally, software should be kept up to date.
Result Pass

Test #A6: Sensitive Data Exposure

Vulnerability Details Sensitive Data Exposure
Description Many web applications do not properly protect sensitive data, such as credit cards,
tax IDs, and authentication credentials. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit, as
well as special precautions when exchanged with the browser.
Result Pass

Test #A7: Missing Functional Level Access Control

Vulnerability Details Missing Functional Level Access Control
Description Most web applications verify function level access rights before making that
functionality visible in the UI. However, applications need to perform the same
access control checks on the server when each function is accessed. If requests are
not verified, attackers will be able to forge requests in order to access functionality
without proper authorization.
Result Pass

Test #A8: Cross Site Request Forgery

Test Details Cross Site Request Forgery
CVE / CWE Reference CWE-80

Cross-site request forgery, also known as a one-click attack or session riding and
Description
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby

17 KiwiQA Services - Confidential

 unauthorized commands are transmitted from a user that the website trusts.
There is not CSRF protection in the application.

A successful cross-site request forgery attack is limited to the capabilities exposed

Effects by the vulnerable application, ranging from Identity theft to misuse of
administrative privileges to disruption of operations.

Result Pass

Test #A9: Using Components with known Vulnerabilities

Vulnerability Details Using Components with known Vulnerabilities
Description Components, such as libraries, frameworks, and other software modules, almost
always run with full privileges. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities may undermine application defenses and
enable a range of possible attacks and impacts.
Result Pass

Test #A10: Unvalidated Redirects and Forwards

Vulnerability Details Open Redirection
Description Web applications frequently redirect and forward users to other pages and
websites, and use untrusted data to determine the destination pages. Without
proper validation, attackers can redirect victims to phishing or malware sites, or
use forwards to access unauthorized pages.
Result Pass

Test #11: Information Gathering

Vulnerability Details Information Gathering
Description Understanding the deployed configuration of the server hosting the web
application
Scenarios Tested Fingerprint Web Server Fail (Vulnerability #4)

Review Webpage Comments and Pass

Metadata for Information Leakage

Test #12: Configuration and Deployment Management Testing

Vulnerability Details Information Gathering

18 KiwiQA Services - Confidential

 Description The different elements that make up the infrastructure need to be determined in
order to understand how they interact with a web application and how they affect
its security.
Scenarios Tested Test Network/Infrastructure Pass
Configuration

Test Application Platform Pass

Configuration

Test File Extensions Handling for Pass

Sensitive Information

Review Old, Backup and Pass

Unreferenced Files for Sensitive
Did not find any old or backup files
Information

Enumerate Infrastructure and Pass

Application Admin Interfaces
Did not find any admin console

Test HTTP Methods Pass (Proof of Concept 12.1)

Test HTTP Strict Transport Security Fail (Vulnerability #5)

Test RIA cross domain policy Pass (proof of Concept 12.2)

Test CDN Configuration for external Pass (Proof of Concept 12.3)

file listing

Proof of Concept 12.1:

Server did not respond for OPTIONS method request or any other methods as such

Proof of Concept 12.2:

19 KiwiQA Services - Confidential

Proof of Concept 12.3

Test #13: Identity Management Testing

Vulnerability Details Identity Management Testing
Description Validate the system roles defined within the application sufficiently define and
separate each system and business role to manage appropriate access to system
functionality and information.
Scenarios Tested Test Role Definitions Only Single role in the application

Test User Registration Process Pass

Test Account Provisioning Process Pass

20 KiwiQA Services - Confidential

 Testing for Account Enumeration Pass (Proof of Concept 13.1)
and Guessable User Account

Testing for Weak or unenforced Pass

username policy

Test Permissions of Guest/Training Pass

Accounts

Test Account Pass

Suspension/Resumption Process

Proof of Concept 13.1:

Generic message is displayed even if a user-id which is not present in the system is entered.

21 KiwiQA Services - Confidential

Test #14: Cryptography
Vulnerability Details Cryptography
Description Sensitive data must be protected when it is transmitted through the network.
Such data can include user credentials and credit cards. As a rule of thumb, if data
must be protected when it is stored, it must be protected also during transmission
Result Pass (Proof of Concept 14.1)

Proof of Concept 14.1:

Latest version of TLS is deployed

22 KiwiQA Services - Confidential

Test #15: Business Logic
Vulnerability Details Business Logic
Description Testing for business logic flaws in a multi-functional dynamic web application
requires thinking in unconventional methods.
Result Pass
File upload in /careers page was tested for abuse.

Test #16: Client Side Testing

Vulnerability Details Client Side Testing
Description Client-Side testing is concerned with the execution of code on the client, typically
natively within a web browser or browser plugin. The execution of code on the
client-side is distinct from executing on the server and returning the subsequent
content
Scenarios Tested Testing for HTML Injection Pass
Rate Limiting Mechanism Fail (Vulnerability #1)
Clickjacking Fail (Vulnerability #2)
Testing for Cross Site Flashing Pass

23 KiwiQA Services - Confidential

 Auto-Complete Enabled Fail (Vulnerability #6)

24 KiwiQA Services - Confidential

CONCLUSION
The penetration testing performed on the target website discovered several vulnerabilities which could
expose sensitive data stored in the web servers. Application security testing revealed that data integrity is
at risk which could lead to modification of data. These vulnerabilities could have had a dramatic effect on
operations if a malicious party had exploited them.

We assessed the attack environment of https://integration.navaloans.com with a view to detect vulnerable

points and weak links in functionality and connectivity. Our security analysts have unearthed a substantial
number of medium (66.67%) and low level vulnerabilities (33.33%) lurking predominantly in how the
application handles and processes user inputs and presents sensitive information to the user. These
loopholes could grease the wheels for a host of cyber attacks on unsuspecting users as well as service
disruption.

In furtherance of the effectiveness of our vulnerability scanning, we have provided practical guidance for
risk mitigation with remediation techniques, best practices and tactical approaches to optimal security
maintenance. These recommendations have been developed with core competency and operational
efficiency as prime focus and will be instrumental in achieving sustained threat protection.

The specific goals of the penetration test were as follows:

- Determine whether a remote attacker could penetrate the web application.

- Ascertain the impact of a security breach on data confidentiality and systems availability.

The aforementioned targets have been successfully met, the results of which are elucidated in the report.

It is important to note that seemingly minor design and functionality issues could be leveraged in attempts
to compromise the application and the web server. We suggest deployment of the recommended
mitigation techniques and controls as well as security protocols to secure the website and databases.

25 KiwiQA Services - Confidential