1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
167 168<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
<br />
<br />
Login page <br />
<br />
<br />
<br />
<br />
=====================================<br />
Checking localhost:443 for correct use of Strict Transport<br />
Security (STS) response header (RFC6797) ...<br />
[!] STS response header: NOT PRESENT<br />
[!] Vulnerable to MITM threats mentioned in https:/www.<br />
owasp.org/index.php/HTTP_Strict_Transport_Security#-<br />
Threats<br />
[!] Vulnerability Status: VULNERABLE<br />
--------------- RAW HTTP RESPONSE ---------------<br />
HTTP/1.1 200 OK<br />
Date: Wed, 23 Jul 2014 13:48:07 GMT<br />
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7<br />
X-Powered-By: PHP/5.4.7<br />
Set-Cookie: SessionID=xxx; expires=Wed, 23-Jul-2014<br />
12:48:07 GMT; path=/; secure<br />
Set-Cookie: SessionChallenge=yyy; expires=Wed, 23-Jul-2014<br />
12:48:07 GMT; path=/<br />
Content-Length: 193<br />
Connection: close<br />
Content-Type: text/html<br />
<br />
<br />
Login page <br />
<br />
<br />
<br />
<br />
=====================================<br />
Checking localhost for HTTP support against HTTPS Stripping<br />
attack ...<br />
[!] HTTP Support on port [80] : SUPPORTED<br />
[!] Vulnerable to HTTPS Stripping attack mentioned in https:/<br />
www.blackhat.com/presentations/bh-dc-09/Marlinspike/<br />
BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf<br />
[!] Vulnerability Status: VULNERABLE<br />
=====================================<br />
Checking localhost:443 for HTTP elements embedded in SSL<br />
page ...<br />
[!] HTTP elements embedded in SSL page: PRESENT<br />
[!] Vulnerable to MITM malicious content injection attack<br />
[!] Vulnerability Status: VULNERABLE<br />
--------------- HTTP RESOURCES EMBEDDED ------------<br />
---<br />
- http:/othersite/test.js<br />
- http:/somesite/test.css<br />
=====================================<br />
Checking localhost:443 for ROBUST use of anti-caching<br />
mechanism ...<br />
[!] Cache Control Directives: NOT PRESENT<br />
[!] Browsers, Proxies and other Intermediaries will cache SSL<br />
page and sensitive information will be leaked.<br />
[!] Vulnerability Status: VULNERABLE<br />
-------------------------------------------------<br />
Robust Solution:<br />
- Cache-Control: no-cache, no-store, must-revalidate,<br />
pre-check=0, post-check=0, max-age=0, s-maxage=0<br />
- Ref: https:/www.owasp.org/index.php/Testing_<br />
for_Browser_cache_weakness_(OTG-AUTHN-006)<br />
http:/msdn.microsoft.com/en-us/library/<br />
ms533020(v=vs.85).aspx<br />
=====================================<br />
Checking localhost:443 for Surf Jacking vulnerability (due to<br />
Session Cookie missing secure flag) ...<br />
[!] Secure Flag in Set-Cookie: PRESENT BUT NOT IN ALL<br />
COOKIES<br />
[!] Vulnerable to Surf Jacking attack mentioned in https:/resources.enablesecurity.com/resources/Surf%20Jacking.pdf<br />
[!] Vulnerability Status: VULNERABLE<br />
--------------- RAW HTTP RESPONSE ---------------<br />
HTTP/1.1 200 OK<br />
Date: Wed, 23 Jul 2014 13:48:07 GMT<br />
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7<br />
X-Powered-By: PHP/5.4.7<br />
Set-Cookie: SessionID=xxx; expires=Wed, 23-Jul-2014<br />
12:48:07 GMT; path=/; secure<br />
Set-Cookie: SessionChallenge=yyy; expires=Wed, 23-Jul-2014<br />
12:48:07 GMT; path=/<br />
Content-Length: 193<br />
Connection: close<br />
Content-Type: text/html<br />
=====================================<br />
Checking localhost:443 for ECDHE/DHE ciphers against FOR-<br />
WARD SECRECY support ...<br />
[*] Forward Secrecy: SUPPORTED<br />
[*] Connected using cipher - TLS_ECDHE_RSA_WITH_<br />
AES_128_CBC_SHA on protocol - TLSv1<br />
[*] Attackers will NOT be able to decrypt sniffed SSL packets<br />
even if they have compromised private keys.<br />
[*] Vulnerability Status: No<br />
=====================================<br />
Checking localhost:443 for RC4 support (CVE-2013-2566) ...<br />
[!] RC4: SUPPORTED<br />
[!] Vulnerable to MITM attack described in http:/www.isg.rhul.<br />
ac.uk/tls/<br />
[!] Vulnerability Status: VULNERABLE<br />
=====================================<br />
Checking localhost:443 for TLS 1.1 support ...<br />
Checking localhost:443 for TLS 1.2 support ...<br />
[*] TLS 1.1, TLS 1.2: SUPPORTED<br />
[*] Immune from BEAST attack mentioned in http:/www.<br />
infoworld.com/t/security/red-alert-https-has-beenhacked-174025<br />
[*] Vulnerability Status: No<br />
=====================================<br />
Loading module: sslyze by iSecPartners ...<br />
Checking localhost:443 for Session Renegotiation support<br />
(CVE-2009-3555,CVE-2011-1473,CVE-2011-5094) ...<br />
[*] Secure Client-Initiated Renegotiation : NOT SUPPORTED<br />
[*] Mitigated from DOS attack (CVE-2011-<br />
1473,CVE-2011-5094) mentioned in https:/www.thc.org/<br />
thc-ssl-dos/<br />
[*] Vulnerability Status: No<br />
[*] INSECURE Client-Initiated Renegotiation : NOT SUPPORT-<br />
ED<br />
[*] Immune from TLS Plain-text Injection attack (CVE-2009-<br />
3555) - http:/cve.mitre.org/cgi-bin/cvename.<br />
cgi?name=CVE-2009-3555<br />
[*] Vulnerability Status: No<br />
=====================================<br />
Loading module: TestSSLServer by Thomas Pornin ...<br />
Checking localhost:443 for SSL version 2 support ...<br />
[*] SSL version 2 : NOT SUPPORTED<br />
[*] Immune from SSLv2-based MITM attack<br />
[*] Vulnerability Status: No<br />
=====================================<br />
Checking localhost:443 for LANE (LOW,ANON,NULL,EXPORT)<br />
weak ciphers support ...<br />
Supported LANE cipher suites:<br />
SSLv3<br />
RSA_EXPORT_WITH_RC4_40_MD5<br />
RSA_EXPORT_WITH_RC2_CBC_40_MD5<br />
RSA_EXPORT_WITH_DES40_CBC_SHA<br />
RSA_WITH_DES_CBC_SHA<br />
DHE_RSA_EXPORT_WITH_DES40_CBC_SHA<br />
DHE_RSA_WITH_DES_CBC_SHA<br />
TLS_ECDH_anon_WITH_RC4_128_SHA<br />
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA<br />
TLS_ECDH_anon_WITH_AES_256_CBC_SHA<br />
(TLSv1.0: same as above)<br />
(TLSv1.1: same as above)<br />
(TLSv1.2: same as above)<br />
[!] LANE ciphers : SUPPORTED<br />
[!] Attackers may be ABLE to recover encrypted packets.<br />
[!] Vulnerability Status: VULNERABLE<br />
=====================================<br />
Checking localhost:443 for GCM/CCM ciphers support against<br />
Lucky13 attack (CVE-2013-0169) ...<br />
Supported GCM cipher suites against Lucky13 attack:<br />
TLSv1.2<br />
TLS_RSA_WITH_AES_128_GCM_SHA256<br />
TLS_RSA_WITH_AES_256_GCM_SHA384<br />
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br />
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br />
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br />
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br />
[*] GCM/CCM ciphers : SUPPORTED<br />
[*] Immune from Lucky13 attack mentioned in http:/www.isg.<br />
rhul.ac.uk/tls/Lucky13.html