APPLICATION PENETRATION TEST SUPER VEDA

More documents

Recommendations

Info

Application Penetration Test for Super Veda- Sample Report -5.7 CROSS-SITE SCRIPTINGSeverity: MediumAn attacker can take advantage of numerous input fields in the applicationin order to mislead an innocent customer entering the site into giving awayinformation, or as a tunnel for the attacker for future purchases on behalfof the first. Input fields include the comments area, the search page, andthe new user signup form.The first cross site scripting attack is based on a malicious userembedding malicious code (in the form of Javascript or VBScript) in thesearch field of the search.asp page. This allows an attacker to send a mailto any user asking him to view a list of search results. If the innocent userwould surf to this linked page, where the malicious code is injected by theattacker he would have a response script sent to him. This can result inthe user’s session cookie sent to the attacker for instance, which willenable the attacker to act on the user’s behalf without his knowledge.Appendix G - Cross-site Scripting demonstrates this problem.ImpervaPage30 of73
Application Penetration Test for Super Veda- Sample Report -5.8 PERMISSIONS MISUSESeverity: MediumThe user accessing the database is the same for all the users logging into the system, and is the database administrator (user ‘sa’). This leads toan attacker being able to view tables outside of the scope of theapplication and to query the sysobjects/syscolumns tables.5.9 FORCEFUL BROWSINGSeverity: LowForceful browsing denotes the ability of an attacker to access modules notin the order they were meant to, possibly bypassing some applicationlogic. In particular, unauthenticated forceful browsing may allow a user toaccess privileged information or actions without successfully completingthe authentication process.It turns out that in the Super Veda site, the postcomment.asp page, whichoriginally can be accessed only after logging-in, can be accessed withoutprior authentication.5.10 INFORMATION DISCLOSURESeverity: Informative• Detailed error messages within the Web server enablethe user to gather reconnaissance and internalinformation about the structure of the SQL queries to thedatabases, and the infrastructural technology behind thesite (database, OS, hardware, etc). Moreover, using SQLinjection techniques mentioned in the above sections anattacker can query the database for their entire internaltopology, and infrastructure architecture. This can later beused by an attacker as a lead towards better-attacking ofthe system.• In some of the site's pages there are internalprogrammers comments left within the code. Thoseenable an attacker to gather crucial information as to theexact nature of some of the application's methodologies,and transactions flow.ImpervaPage31 of73
Page 1 and 2: APPLICATION PENETRATION TESTSUPER V
Page 3 and 4: REFERENCESREF DOCUMENT VERSION DATE
Page 5 and 6: 5.6 Script Injection into User’s
Page 7 and 8: Application Penetration Test for Su
Page 29: Application Penetration Test for Su
Page 73: Application Penetration Test for Su

APPLICATION PENETRATION TEST SUPER VEDA

Create successful ePaper yourself

Delete template?

Save as template?