APPLICATION PENETRATION TEST SUPER VEDA

More documents

Recommendations

Info

Application Penetration Test for Super Veda- Sample Report -4 SUMMARY OF RESULTSThe penetration test uncovered a number of serious vulnerabilities thatjeopardize the security of individual accounts as well as the security of theapplication's internal network. Following is a short summary of majorvulnerabilities:4.1 READING THE ENTIRE DATABASE CONTENTSSeverity: CriticalAn attacker can alter the address of some of the application web pages insuch a way that enables him to query the internal database for all itsinformation. As a result, the attacker can steal the entire collection ofinformation within the database, which includes all the registeredusernames, passwords, and credit card numbers. The attacker cangenerally be granted access to all the information in the database using amanipulation on the input of an SQL query.4.2 UNAUTHORIZED ACCESS TO ACCOUNTSSeverity: CriticalAn attacker can access accounts of all individual users without priorknowledge of their password, thus bypassing the application'sauthentication.4.3 OBTAINING A DISCOUNT FOR PURCHASESSeverity: HighAn attacker can manipulate the values of a cookie stored on his client inorder to mislead the application into believing that his privileges are higherthan they actually are, thus resulting in his obtaining a discount for hispurchases.ImpervaPage10 of73
Application Penetration Test for Super Veda- Sample Report -4.4 PARAMETERS TAMPERINGSeverity: HighAn attacker can manipulate the values of parameters stored on his clientduring the purchase session to alter the application's common workflow.This can lead to:• An attacker misleading a client into reaching the orderstage and then changing his order details, having thepurchase reach the attacker's address instead of therightful owner's address.• Changing the purchase quantity, thus resulting in apurchase whose totals sum is negative.• Changing the 'sale' parameter, thus causing a product tobe sold at a price lower than its listed price.• Changing the name of the active user while contactingthe site's administrator, thus being able to impersonateanother user, and acting on his behalf.4.5 SCRIPT INJECTION INTO ADMINISTRATOR’SBROWSERSeverity: HighAn attacker can take advantage of the “Contact Us” feature to injectmalicious code into the browser of an administrator reading usermessages. The injected code can be used to extract information from theadministrator’s browser or as a tunnel for the attacker to the internalnetwork.4.6 SCRIPT INJECTION INTO USER’S BROWSERSeverity: HighAn attacker can take advantage of the products comments feature toinject malicious code into the browser of another visiting user who readshis comment. The injected code can be used to extract information fromthe innocent browser.ImpervaPage11 of73
Page 1 and 2: APPLICATION PENETRATION TESTSUPER V
Page 3 and 4: REFERENCESREF DOCUMENT VERSION DATE
Page 5 and 6: 5.6 Script Injection into User’s
Page 7 and 8: Application Penetration Test for Su
Page 9: Application Penetration Test for Su
Page 61 and 62:
Application Penetration Test for Su
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73:
show all

APPLICATION PENETRATION TEST SUPER VEDA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?