Detailed Developer Report

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 123

Lifestyle Store

Detailed Developer Report


Security Status – Extremely Vulnerable
• The hacker can steal all the data from database of lifestyle store (SQLi).
• Hacker can control the server and steal the critical information in the database by
shell upload.
• Hacker can access entire content of website(Gaining admin access).
• Hacker can extract critical information of all customers by user_id (IDOR).
• Hacker can change the password and gain the access of admin account by OTP
Bypass.
• Hacker can gain access of any accout like admin account, seller account by
forced browsing.
• Hacker run the command in admin account and get the information about the
server and system.
Vulnerability Statistics

Critical Severe Moderate

9 14 5

Low

8
Vulnerabilities
No. Severity Vulnerability Count
1 Critical SQL Injection 1
2 Critical Arbitary File Upload 1
3 Critical Access to admin panel 1
4 Critical Unauthorised access to customer details(IDOR) 3
5 Critical Reset password of admin by OTP Bypass 1
6 Critical Forced Browsing 1
7 Critical Run Command in admin panel 1
8 Severe Cross Site Request Forgery 3
9 Severe Default/Weak Password 2
10 Severe Cross Site Scripting 3
11 Severe Rate Limiting Flaw 4
12 Severe Open Redirection 1
13 Severe Crypto Configuration Flaw 1
No. Severity Vulnerability Count
14 Moderate Directory Listing 1

15 Moderate Personaly Identifiable Information(PII) leakage 1

16 Moderate Outdated version of using components 2

17 Moderate Unrequired information of seller 1

18 Low Server side misconfiguration flaw 2

19 Low Descriptive error messages 2

20 Low Default files/pages 4


1. SQL Injection

1. SQL injection(Critical)

Below mention URL is vulnerable to SQL injection.

Affected URL :
• http://52.66.212.175/products.php?cat=1

Affected Parameters :
• cat (GET Parameter)

Payload :
• cat=1’
Observation
• Below you see the category 1 for T-shirts. Click on the socks the category will be change into a cat=2 that is
called the parameter of this URL is GET based parameter.
Observation
• We apply a single quote in cat parameter : products.php?cat=1’ so, we get complete SQL syntax error :
Observation
• Then we apply --+ : products.php?cat=1’--+ and we can’t get an error by the payload so, it’s confirmed this
URL is vulnerable by SQL injection.
Observation
• Using automated tool sqlmap, we find the SQL injection vulnerabilities in this application.
• Command : python sqlmap.py -u "http://52.66.212.175/products.php?cat=1" --cookie
"key=0E1744AA-5A26-AE82-308B-E6F1F3B8BEEA"
Proof of Concept(PoC)
• In this URL, We apply order by (no. of columns) to know how many columns are there : products.php?
cat=1 order by 1 we get an error but we put 7 we can’t get an error this means this page has seven number
of columns.
• We can apply union command : products.php?cat=1’ union select database(),database(), database(),
database(), database(), database(), database() and we get a name of the database.
• Database name is : hacking_training_project
Proof of Concept
• We can also use the automated tool sqlmap .
• Using this switch --dbs we got databases of that application.
• Command : python sqlmap.py -u"http://52.66.212.175/products.php?cat=1" --cookie
"key=0E1744AA-5A26-AE82-308B-E6F1F3B8BEEA” --dbs
PoC - Attacker can dump data
No. of table in
hacking_training_project : 10
brands
cart_items
No. of database : 2 categories
hacking_training_project customers
Information_schema order_items
orders
product_reviews
products
sellers
users
Business Impact – High
Using this vulnerability the attacker can be extract all data of the lifestyle application. Attacker gain complete access
of internal databases along with all user data.
Below is the screenshot of user’s data to extract by the SQL injection vulnerability. This table is shows user
credentials without any encryption.
Attacker can use this information to login into user panel and try to access the account of user. Attacker get more
information about the user and also get personal information about the user.
Recommendations

• Whitelist User Input: Whitelist all user input for expected data only. For example if you are expecting a
flower name, limit it to alphabets only upto 20 characters in length. If you are expecting some ID, restrict it
to numbers only
• Prepared Statements: Use SQL prepared statements available in all web development languages and
frameworks to avoid attacker being able to modify SQL query
• Character encoding: If you are taking input that requires you to accept special characters, encode it.
Example. Convert all ‘ to \’ , “ to \”, \ to \\. It is also suggested to follow a standard encoding for all special
characters such has HTML encoding, URL encoding etc
• Do not store passwords in plain text. Convert them to hashes using SHA1 SHA256 Blowfish etc
• Do not run Database Service as admin/root user
• Disable/remove default accounts, passwords and databases
• Assign each Database user only the required permissions and not all permissions
Reference

• https://owasp.org/www-community/attacks/SQL_Injection
• https://en.wikipedia.org/wiki/SQL_injection
2. Arbitary File Upload

2. Arbitary File Upload(Critical)

Below mention URL is vulnerable to Arbitary File Upload.

Affected URL :
• http://52.66.212.175/wondercms

Affected Parameters :
• Files(POST perameter)
Observation
• We click on the blog and go to the settings and upload the file in files section to check arbitrary file
upload vulnerability.
• We are try to upload php file in files section instead of pdf file. We are upload the file that tells us which
user is currently loggedin.
• We use this code : echo exec(“whoami”);
• The file will be successfully upload then this code will be execute in new window and get the current user.
Observation
• Uploaded file is execute and diplay the current user so its confirmed that the site vulnerable to arbitrary
file upload.
• We are upload the mini shell in the site to gain full control of this site.
• We upload the mini shell b374k for checking.
Proof of Concept(PoC)
• The mini shell will be upload successfully and we can gain full access of site server. We get critical
information about the users and website.
Business Impact – High
• Using this type of vulnerability, attacker gain full control or access of server and back end system. Attacker
inject the malicious file or malicious PHP code to gain control and attacker can easily done the client side attack.
• Attacker can upload the malicious file or shell in site. With the shell upload ha/she can change the code or gain
full access of all database which is there in that site.
• Attacker maybe upload mini shell, malicious code, malicious virus in site server and execute that code by
administrator in the victim’s system. So, impact of this vulnerability is very high.
• An attacker might be able to put a phishing page into the website or deface the website and much more.

Recommendation
• Blacklisting file extensions like .php, .html, etc.
• Whitelist file extensions like .jpg, .pdf, etc.
• Use static file hosting servers like CDNs and File Clouds to store files instead of storing them on the application
server itself
• Use proper server-side validation on what kind of file is uploading by user.
• Rename the files using a code, so that the attacker cannot play around with file names.
Reference

• https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
• https://www.go4expert.com/articles/understanding-arbitrary-file-upload-t26351/
• https://www.getastra.com/e/malware/infections/arbitrary-file-upload-vulnerability
3. Access to admin panel

3. Access to admin panel(Critical)

Below mention URL is vulnerable

Affected URL :
• http://52.66.212.175/wondercms/loginURL
Observation
• We are enter into the admin panel of blog with the entered password : admin and see the admin panel
Proof of Concept(PoC)
• In the admin panel we change the layout or content of the website and also change the password of the admin
panel so next time the admin will not login in to the admin panel.
Business Impact – High
• Using this vulnerability, attacker can login to the admin panel and change the layout of the website. Attacker
can also change the content of the website by this admin panel.
• Attacker can add some malicious code, some kind of videos, blogs that are not belong to this website this is
impact on company’s raputation.
• Attacker can add and delete the pages in this panel.
• Attacker change the password of this admin panel so admin can not login in to this panel after attack.

Recommendation
• The default password should be change into the strong password.
• Password changing process must be done with some steps of verifications.
• The admin url must also not accessible to normal user.
• All default account should be removed.
Reference
• https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password
• https://www.acunetix.com/blog/web-security-zone/common-password-vulnerabilities/
4.Unauthorised access of customer details(IDOR)

4. Unauthorised access of customer detail( Critical)

Below mention URL is vulnerable to Insecure Direct Object


Response.

Affected URL :
• http://52.66.212.175/orders/generate_receipt/ordered/13

Affected Parameters :
• Order id(GET Parameter)

Payload :
• Order id = (Number)
4. Unauthoriesd access of customer details(IDOR)

Affected URL :
• http://52.66.212.175/profile/16/edit

Affected parameter :
• User id (GET parameter)

Payload :
• User id = (Numbers)

Affected URL :
• http://52.66.212.175/reset_password/customer.php?username=bhula123

Affected parameter :
• username (GET parameter)

Payload :
• username = valid username
Observation
• Click on the cart and confirm order that you want to place then you see the receipt will generated. In the URL we
change the order id and see the receipt of others order receipt. We get an information about the customer.

• Go to the my profile and change your profile. You see in the URL user id is in GET parameter so we can change
this user id and get access to change profile of other users.

• In the login page of customer we put the username in username field then click on forgot password. After this we
see username in the URL with GET parameter so we change that name and get the email id of other customer.
Proof of Concept(PoC)
• In this URL http://52.66.212.175/orders/generate_receipt/ordered/11 we change the order id to others order id and
see all the critical information of other user.
Proof of Concept(PoC)
• In the URL of edit profile we change the GET parameter value user id to the some other value of other user id.
• Change into the URL and edit profile of other user.
Proof of Concept(PoC)
• Click on forgot password and open this URL with the GET parameter of username. Change the username and we get an
email id of other users.
• URL : http://52.66.212.175/reset_password/customer.php?username=bhula123
Business Impact
• This vulnerability is expose the information of all kind of user. Using this vulnerability, attacker can collect the data
or information about the user and use those data in full fledge social engineering attack on user.
• In this vulnerability expose this information like phone number, username, email etc. Using this information the
attacker can loggedin easily.

Recommendation
• Sensitive information must only be accessible to authorised users.
• Implement proper authentication and authorisation checks at every function to make sure the user requesting access
to a resource whether to view or edit is his own data and no one else’s.
• Implement these checks on the basis of IP addresses and sessions.
• If request can generate for reset password from different devices, the account should be blocked for a while.
• Implement proper rate limiting checks that disallows large number of request from single resource.
Reference

• https://hdivsecurity.com/bornsecure/insecure-direct-object-references-automatic-prevention/
• https://gracefulsecurity.com/idor-insecure-direct-object-reference/
5. Reset password of admin by OTP Bypass

5. Reset password of admin panel by OTP


Bypass(Critical)
Below mention URL is vulnerable to OTP Bypass attack.

Affected URL :
• http://52.66.212.175/reset_password/admin.php

Affected Parameters :
• OTP(GET perameter)
Observation
• Admin login page option for forgot password and authenticate you by the OTP. The OTP parameter is GET based
that means we will change the OTP in URL and check OTP is correct or not.
Proof of Concept(PoC)
• Intercept request of this reset password page and bruteforcing OTP in the intruder. In the intruder bruteforcing
the OTP between 100 to 999 because OTP is three character long.
Proof of Concept(PoC)
• After Bypass OTP we change the password of admin username:admin and password:admin123.
Proof of Concept(PoC)
• We login in to the admin panel after change the password and now we have full control of admin page.
Business Impact
• Using this vulnerability, attacker can use logical bruteforcing and steal the OTP and login into the admin account.
• Attacker login in the admin account and full control of admin panel or website.
• Attacker can add or delete the product and change the price of the product and so more.

Recommendation
• Length of the OTP should be atleast 6. This makes bruteforcing impractical.
• Captcha can be used to protect from bruteforcing.
• Number of attempts can be limited.
• At least two-step verification before reset password.
Reference

• https://owasp.org/www-community/attacks/Brute_force_attack
• https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
• https://en.wikipedia.org/wiki/Brute-force_attack
6. Forced Browsing

6. Forced Browsing(Critical)

Below mention URL is vulnerable to Forced Browsing attack.

Affected URL :
• http://52.66.212.175/admin31/dashboard.php
Observation
• Enter the username : admin and password : admin123 into the admin panel to login in admin account and
copy the url of admin panel.
• In the seller login page we login into the seller panel as a username : chandan and password : chandan123.
Proof of Concept(PoC)
• After copy the url of admin panel is paste into the url of seller panel and admin panel is logged out but admin panel is
opened in seller’s panel.(For a proof please play the video)
Business Impact
• Using this vulnerability, seller can login into the admin panel after logout into the admin. Seller can paste the login
url of admin panel in the seller’s panel and he/she will be login in admin panel.
• Attacker can change the price of the product and this cause financial loss.

Recommendation
• After logout into the account can’t access to login by login url
• Using proper access control and authorization policies, access is only given to users commensurate with their
privileges
• Creating an allow list (or whitelist) involves allowing explicit access to a set of URLs that are considered to be a part
of the application to exercise its functionality as intended. Any request not in this URL space is denied by default.
Reference

• https://owasp.org/www-community/attacks/Forced_browsing
• http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
• https://campus.barracuda.com/product/webapplicationfirewall/doc/42049348/forced-browsing-attack/
7. Run command in admin panel

7. Run command in admin panel(Critical)

Below mention URL is vulnerable to command execution attack.

Affected URL :
• http://52.66.212.175/admin31/dashboard.php
Observation
• We put credential for enter in admin panel and we get access to admin panel.
• In the admin admin panel console panel is use for command execution for admin.
Proof of Concept(PoC)
Proof of Concept(PoC)
• We put ls command in the console panel then command will be execute and get the list of directory.
Business Impact
• Using this vulnerability, we can execute command in the admin panel and get result of command.
• Execute the command in console panel and we get the information about the website and get the control of website
to add and delete some data in the website.
• Attacker can add some malicious code or command to get more information about the website using this
vulnerability.

Recommendation
• There should be filters so that malicious code cannot be injected in .
• Input validation can be done.
• Output Validation can be done.
• Canonicalization can also be done.
Reference

• https://owasp.org/www-community/attacks/Command_Injection
• https://cwe.mitre.org/data/definitions/77.html
8. Cross Site Request Forgery

8. Cross Site Request Forgery(Severe)

Below mention URL is vulnerable to Cross Site Request Forgery


attack.

Affected URL :
• http://52.66.212.175/profile/16/edit

Affected Parameter :
• Name, Phone, Address (POST parameter)
8. Cross Site Request Forgery(Severe)

Affected URL :
• http://52.66.212.175/profile/change_password.php

Affected parameter :
• Update (POST parameter)

Affected URL :
• http://52.66.212.175/cart/cart.php

Affected parameter :
• Confirm order (POST parameter)
Observation
• We navigate http://52.66.212.175/profile/16/edit after login into account.
Observation
• We navigate http://52.66.212.175/profile/change_password.php after login into account.
Observation
• We select the product and add to cart for buy that product.
Proof of Concept(PoC)
• We intercept the request of edit profile and tamper with the parameter. After tamper the data drop the original request
and refresh the page.
Proof of Concept(PoC)
• We intercept the request of change password and tamper with the parameter password and confirm password. After
tamper the data drop the original request and refresh the page.
Proof of Concept(PoC)
• We create html code for confirm order and open in incognito window then refresh the page. After refresh the page
order will be confirm.
Business Impact
• Using this vulnerability, attacker can able order many item which item user would cancel later when the sender will
send it to him(as its cash on delivery),so unnecessary load of workers can increase incredibly.
• Attacker can change the username, password, address, etc. with the help of this vulnerability.

Recommendation
• Check the referer to before carrying out action.
• Ask the user his password (temporary like OTP or permanent like login password) at every critical action like while
deleting account, making a transaction, changing the password etc.
• Implement the concept of CSRF tokens which attach a unique hidden password to every user in every <form>. Read
the documentation related to the programming language and framework being used by your website
Reference

• https://owasp.org/www-community/attacks/csrf
• https://wiki.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)
• https://en.wikipedia.org/wiki/Cross-site_request_forgery
9. Default/Weak password

9. Default/Weak Password(Severe)

Below mention URL is vulnerable to Default/Weak password attack.

Affected URL :
• http://52.66.212.175/login/seller.php
Affected Parameter :
• Password (POST parameter)

Affected URL :
• http://52.66.212.175/wondercms
Affected Parameter :
• Password (POST parameter)
Observation
• In the seller login panel seller set weak password that can be easily guess to login into seller’s account.
• Blog admin set weak and default password as a admin. Very easy to login into blog panel with the default password.
Proof of Concept(PoC)
• To login into seller panel we bruteforce the username and password in intruder.
Proof of Concept(PoC)
• Login into blog we enter the default password : admin and we are login in the blog panel.
Business Impact
• Using weak/default password attacker can login easily as a seller.
• After login in to seller account the attacker can add or delete some data and also change the cost of the product this
cause the financial loss for seller.
• Attacker change the password of seller so, seller can’t login.

Recommendation
• Change the password into strong password.
• Captcha can be use to login as a seller.
• Length of the password must atleast 8 with alphanumeric character.
Reference

• https://www.sciencedirect.com/topics/computer-science/default-password
• https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password
10. Cross Site Scripting

10. Cross Site Scripting(Severe)

Below mention URL is vulnerable to Cross Site Scripting attack.

Affected URL :
• http://52.66.212.175/products/details.php?p_id=8

Affected Parameter :
• Review (POST parameter)
10. Cross Site Scripting(Severe)

Affected URL :
• http://52.66.212.175/wondercms

Affected parameter :
• Generals->main website title (POST parameter)

Affected URL :
• http://52.66.212.175/profile/16/edit

Affected parameter :
• Address (POST parameter)
Observation
• In the review box of product we pass the some parameter or write some html tags to check this is vulnerable or not.
• This code is use to check this is vulnerable or not.
• Code : <a> Visit this link for best T-shirts </a>
Observation
• In the generals option we put special html character (like <>’’) for testing Cross Site Scripting. We get get same
output at original page of website.
Observation
• Go to the edit profile option after login. We put some special character in address field to check Cross site scripting
vulnerability.
Proof of Concept(PoC)
• We put the code for alert box in the review box and prove that this site is vulnerable (XSS).
• Code : <script> alert(“Sorry, this is blocked for few minutes”) </script>
Proof of Concept(PoC)
• We put the code for alert box in the main website title and prove that this site is vulnerable (XSS).
• Code : <script> alert(“I hope this is your best experience ever.”) </script>
Proof of Concept(PoC)
• We put the code for alert box in the Address field and prove that this site is vulnerable (XSS).
• Code : <script> alert(“sorry,you are not aligible”) </script>
Business Impact
• Using this vulnerability, attacker can inject some arbitrary like html, CSS, javascript via URL, attacker put any
content on the page like pishing pages, install malware on victim’s devices.
• All attacker needs to do is send the link with the payload to the victim would see hacker controlled on the website.
As the user trusts the website, he/she will trust the content

Recommendation
• Sanitise all user input and block characters you do not want
• Convert special HTML characters like ‘ “ < > into HTML entities &quot; %22 &lt; &gt; before printing them on
the website
Reference

• https://en.wikipedia.org/wiki/Cross-site_scripting
• https://owasp.org/www-community/attacks/xss/
• https://www.acunetix.com/websitesecurity/cross-site-scripting/
11. Rate Limiting Flaw

11. Rate Limiting Flaw(Severe)

Below URL is vulnerable to Rate Limiting Flaw.

Affected URL :
• http://52.66.212.175/login/seller.php

Affected Parameter :
• Username,Password (POST parameter)
11. Rate Limiting Flaw(Severe)

Affected URL :
• http://52.66.212.175/login/customer.php

Affected parameter :
• Username,Password (POST parameter)

Affected URL :
• http://52.66.212.175/login/admin.php

Affected parameter :
• Username,Password (POST parameter)

Affected URL :
• http://52.66.212.175/forum/index.php?u=/user/login

Affected parameter :
• Username,Password (POST parameter)
Observation
• When put the credentials in the login fields we intercept this request in burpsuit, then send the request in intruder to
change the value of username and password hence we get correct password and username.
Business Impact
• Using this vulnerability, attacker can get the password using dictionary bruteforcing and easily get username and
password of any login account.
• Attacker can create lots of malicious account in this site by rate limiting flaws.

Recommendation
• When the password are incorrect morethan 5 times blocked that resource for some time.
• Number of attempts can be limited.
• The password length must be large so bruteforcing can be not possible.
• Captcha should be used to protect from bruteforce.
Reference

• https://medium.com/bugbountywriteup/bypassing-rate-limit-abusing-misconfiguration-rules-dcd38e4e1028
• https://www.keycdn.com/support/rate-limiting
• https://ussignal.com/blog/protect-against-cyber-attacks-with-rate-limiting
12. Open Redirection

12. Open Redirection(Severe)

Below mention URL is vulnerable to Open Redirection attack.

Affected URL :
• http://52.66.212.175/products/details.php?p_id=8

Affected Parameter :
• url
Observation
• Url of product is in GET based parameter so we can change the url and redirect to other site.
• Payload : http://52.66.212.175/redirect.php?url=https://www.internshala.com
Proof of Concept(PoC)
• We put http://52.66.212.175/redirect.php?url=https://www.internshala.com payload in the url and we redirect to
new site.
Business Impact
• If the attacker changes the url to some malicious website looking similar to the given website, he can take the
credentials and even credit card details on checkout from the user trust.

Recommendation
• Remove the redirection function from the application, and replace links to it with direct links to the relevant target
URLs.
• Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a
parameter to the redirector, pass an index into this list .
Reference
• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-
Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
• https://owasp.org/search/?searchString=open+redirection
13. Crypto Configuration Flaw

13. Crypto Configuration Flaw(Severe)

Below mention URL is vulnerable to Crypto Configuration Flaw.

Affected URL :
• http://52.66.212.175
Observation
• All website use ‘https’ in this time but in this site ‘http’ is used means its not secure then ‘https’.
• HTTPs is encrypted and secure.
Business Impact
• Security is almost halved in http providing easy man-in-the-middle attack and others which makes it easy for
attacker to go through the data transmitted over the internet.

Recommendation
• Use https and not http as the protocol.

Reference
• https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
14. Directory Listing

14. Directory Listing(Moderate)

Below mention URL is vulnerable to Directory Listing.

Affected URL :
• http://52.66.212.175/static/images/uploads/customers
Observation
• Go to this site : http://52.66.212.175/static/images/uploads/customers.
• We get complete list of profile pictures of all users and pictures are using in this site.
Proof of Concept(PoC)
• We get all profile pictures of all users. Some pictures are posted as a proof.
Business Impact
• Using this vulnerability, attacker can not harm to user or the server but the attacker can steal the information of the
user or website and download the backup of the website.
• Attacker can view the image of the user and view the data of downloaded backup.

Recommendation
• To prevent this vulnerability disable the directory listing option.
• Put an index.html in all folders with default message.

Reference
• https://cwe.mitre.org/data/definitions/548.html
• https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/
15. Personally Identifiable Information

15. Personally Identifiable Information(Moderate)

Below mention URL is vulnerable to PII Leakage.

Affected URL :
• http://52.66.212.175/login/customer.php
Observation
• In the login page of customer we see the customer’s profile picture and username are given as customer of the
month.
Business Impact
• Using this vulnerability, attacker get the username of the user then attacker can use forgot password option and
change the password of user.
• Attacker can access the account of user and get sensitive information of user.

Recommendation
• Website can not display the name publically.
• There are some steps for verification like reset password link on email, get OTP which is sent by site, etc to change
the password of user.

Reference
• https://cipher.com/blog/25-tips-for-protecting-pii-and-sensitive-data/
• https://digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compromise
16. Outdated version of using components

16. Outdated version of using components(Moderate)

Below mention URL is vulnerable to Outdated version of using


components.

Affected component :
• PHP
• WonderCMS
Observation
• Using PHP version in this site is outdated not to be use latest version of PHP. Latest version of PHP is 7.4.5 but in
this lifestyle site using 5.6.39 version.
Observation
• This site using WonderCMS to post blog and post the content of the website. Using WonderCMS is very outdated
version at this time we need to update WonderCMS into new version.
Business Impact
• Attacker can easily attack on outdated versions of software because outdated software has some vulnerability so,
the attacker can search any vulnerability is available in this software. Attacker exploits that vulnerability and attack
on site.

Recommendation
• To prevent this vulnerability we use latest and updated software to build website.

Reference
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-
Using_Components_with_Known_Vulnerabilities
• https://www.tutorialspoint.com/security_testing/components_with_vulnerabilities.htm
• https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-298515/PHP-PHP-
5.6.39.html
17. Unrequired information of seller

17. Unrequired information of seller(Moderate)

Below mention URL is vulnerable to Sensitive information of seller.

Affected component :
• http://52.66.212.175/products/details.php?p_id=11
Observation
• When we click on the seller info we saw the information about seller, even which information also disclose that are
not required like pan number.
Business Impact
• This vulnerability is not impact business directly but this information are use to social engineering on seller.

Recommendation
• Only name and email is sufficient to concern with him/her. Other information are unrequired.

Reference
• https://blog.detectify.com/2016/07/01/owasp-top-10-sensitive-data-exposure-6/
• https://www.tutorialspoint.com/security_testing/testing_sensitive_data_exposure.htm
18. Server side misconfiguration flaw

18. Server side misconfiguration flaw(Low)

Below mention URL is vulnerable to missing serverside validation.

Affected URL :
• http://52.66.212.175/forum/index.php?u=/user/register
Affected Parameter :
• Email address

Affected URL :
• http://52.66.212.175/profile/16/edit
Affected Parameter :
• Phone
Observation
• When you signup in forum panel you must be enter proper email address. We intercept the request and tamper
with the email address in burpsuit. In repeater we check the output with tamper email address.
Observation
• When you click on edit profile after login as customer. We change the contact number but not update. Intercept the
request of edit profile and change number then, drop the original request.
Proof of Concept(PoC)
• We drop the original request and refresh the page we created account successfully in forum.
Proof of Concept(PoC)
• After drop original request we refresh the page and see the update profile with the change.
Business Impact
• The data provided by the user ,if data is incorrect that’s not a very big issue but still must be checked for proper
validation.

Recommendation
• Implement all critical checks on server side code only.
• Client-side checks must be treated as decoratives only.
• All business logic must be implemented and checked on the server code. This includes user input, the flow of
applications and even the URL/Modules a user is supposed to access or not.

Reference
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration
• https://www.owasp.org/index.php/Unvalidated_Input
19. Descriptive error message

19. Descriptive error message(Low)

Below mention URL is vulnerable to Descriptive error message.

Affected URL :
• http://52.66.212.175/?includelang=lang/en.php
Payload :
• Includelang[]=lang/en.php

Affected URL :
• http://52.66.212.175/search/search.php?q=Socks
Payload :
• q=-’
Observation
• We click on language and include some special character in the url of language. It display some error that provide
some information about the server.
• Payload URL : 15.206.146.181/?includelang[]=lang/fr.php
Observation
• When we search some product in searchbar and include some special charcter in GET based url. It display some
error.
• Payload URL : 13.233.254.187/search/search.php?q=-’
Business Impact
• This type of vulnerability is not direct impact on user or server but this is use to attacker mapping the architecture
of a website and plan further attack on server.

Recommendation
• Do not display the default error messages because it not tells about the server but also sometimes about the
location.So,whenever there is an error ,send it to the same page or throw some manually written error.

Reference
• https://www.owasp.org/index.php/Improper_Error_Handling
20. Default files/pages

20. Default files/pages(Low)

Below mention URL is vulnerable to Dfault files.

Default files :
• robots.txt
• userlist.txt
• server-status
• phpinfo.php
Proof of Concept(PoC)
• We entered robots.txt at the end of the index page URL, We got this page.
Proof of Concept(PoC)
• We entered userlist.txt at the end of index page URL and we got this page.
Proof of Concept(PoC)
• We entered server-status at the end of
index page URL and we got this page which
is gives you information about the server
that can be used by this website.
Proof of Concept(PoC)
• We entered phpinfo.php at the end of index page URL and we get the information about the php which is used by
this website.
Business Impact
• This type of vulnerability is not direct impact on user or server but this is use to attacker mapping the architecture
of a website and plan further attack on server.

Recommendation
• Disable all default files and pages.

Reference
• https://vuldb.com/?id.88482
• https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_apache_http_server_httponly_cookie_info
rmation_disclosure
THANK YOU
For any further clarifications/patch assistance, please contact:
+919016193206

You might also like