APPLICATION PENETRATION TEST SUPER VEDA

Application Penetration Test for Super Veda- Sample Report -4.7 CROSS-SITE SCRIPTINGSeverity: MediumAn attacker can take advantage of numerous input fields in the applicationin order to mislead an innocent customer into giving away informationupon entering the site, or as a tunnel for the attacker for future purchasesusing the initial customer’s identity. Input fields include the commentsarea, the search page, and the new user signup form.4.8 PERMISSIONS MISUSESeverity: MediumThe user accessing the database is the same for all the users logging into the system, and is the database administrator (user ‘sa’). This leads toan attacker being able to view tables outside of the scope of theapplication and to query the sysobjects/syscolumns tables.4.9 FORCEFUL BROWSINGSeverity: LowForceful browsing denotes the ability of an attacker to access modules notin the order they were meant to, possibly bypassing some applicationlogic. In particular, unauthenticated forceful browsing may allow a user toaccess privileged information or actions without successfully completingthe authentication process.It turns out that in the Super Veda site the postcomment.asp page, whichtheoretically can only be accessed after login, can be accessed withoutprior authentication.4.10 INFORMATION DISCLOSURESeverity: Informative• Detailed error messages within the Web server enablethe user to gather reconnaissance and internalinformation about the structure of the SQL queries to thedatabases, the infrastructural technology behind the siteImpervaPage12 of73