PENETRATION TEST REPORT

Application Name: ABC TELCO APPLICATION

ATTENTION: This document contains confidential information concerning vulnerabilities

investigated against the ABC TELCO application. By accepting this document, you agree
to keep the contents in confidence and not copy, disclose or distribute this outside ABC
TELCO.
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

1 Table of Contents
2 EXECUTIVE SUMMARY ............................................................................ 7
2.1 APPROACH ...................................................................................... 8
2.2 SCOPE OF WORK .............................................................................. 8
2.3 ENGAGEMENT HIGHLIGHTS................................................................ 9
2.4 ABC TELCO APPLICATION IN TERMS OF SECURITY POSTURE ................. 10
3 METHODOLOGY EMPLOYED.................................................................... 11
3.1 PLANNING ..................................................................................... 11
3.2 RECONNAISSANCE ......................................................................... 11
3.3 VULNERABILITY ASSESSMENT .......................................................... 12
3.4 RISK AND ATTACK FACTOR ANALYSIS ............................................... 12
3.5 EXPLOITATION ............................................................................... 12
3.6 REPORTING ................................................................................... 12
3.7 TOOLS USED ................................................................................. 13
4 VULNERABILITY SUMMARY .................................................................... 14
4.1 RISK RATING ................................................................................. 14
4.2 SUMMARY OF FINDINGS OF ABC TELCO TEST WEB APPLICATION ........... 15
4.3 GRAPHICAL REPRESENTATION .......................................................... 15
4.4 OWASP TOP 10 CHECKLIST .............................................................. 16
4.5 VULNERABILLITY SUMMARY AND BRIEF ............................................. 17
5 DETAIL FINDINGS ................................................................................ 18
5.1 SQL INJECTION .............................................................................. 18
5.1.1 ANALYSIS ................................................................................ 18
5.1.2 AFFECTED AREA........................................................................ 18
5.1.3 IMPACT ................................................................................... 18
5.1.4 LIKELIHOOD............................................................................. 18
5.1.5 EVIDENCE ................................................................................ 19
5.1.6 RECOMMENDATION ................................................................... 20
5.2 BROKEN OBJECT LEVEL AUTHORIZATION ON CART OF ANDROID APP ..... 21
5.2.1 ANALYSIS ................................................................................ 21
5.2.2 AFFECTED AREA........................................................................ 21
5.2.3 IMPACT ................................................................................... 21
_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 2
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________
5.2.4 LIKELIHOOD............................................................................. 21
5.2.5 EVIDENCE ................................................................................ 22
5.2.6 RECOMMENDATION ................................................................... 22
5.3 CROSS SITE SCRIPTING (REFLECTED) ............................................... 23
5.3.1 ANALYSIS ................................................................................ 23
5.3.2 IMPACT ................................................................................... 23
5.3.3 LIKELIHOOD............................................................................. 23
5.3.4 AFFECTED URLS........................................................................ 23
5.3.5 EVIDENCE ................................................................................ 23
Figure 11: XSS Injection Response in Browser .......................................... 24
5.3.6 RECOMMENDATION ................................................................... 24
5.4 LOGIN PAGE PASSWORD BRUTEFORCE ATTACK .................................. 25
5.4.1 ANALYSIS ................................................................................ 25
5.4.2 AFFECTED AREA........................................................................ 25
5.4.3 IMPACT ................................................................................... 25
5.4.4 LIKELIHOOD............................................................................. 25
5.4.5 EVIDENCE ................................................................................ 25
5.4.6 RECOMMENDATION ................................................................... 26
5.5 Dictionary Attack ON AUTH CODES TO RESET PASSWORD OF ANY USER . 27
5.5.1 ANALYSIS ................................................................................ 27
5.5.2 AFFECTED AREA........................................................................ 27
5.5.3 IMPACT ................................................................................... 27
5.5.4 LIKELIHOOD............................................................................. 27
5.5.5 EVIDENCE ................................................................................ 28
5.5.6 RECOMMENDATION ................................................................... 28
5.6 BYPASSING EMAIL ACCOUNT VERIFICATION DURING USER SIGNUP....... 29
5.6.1 ANALYSIS ................................................................................ 29
5.6.2 AFFECTED AREA........................................................................ 29
5.6.3 IMPACT ................................................................................... 29
5.6.4 LIKELIHOOD............................................................................. 29
5.6.5 EVIDENCE ................................................................................ 30
5.6.6 RECOMMENDATION ................................................................... 30
5.7 USERNAME ENUMERATION ............................................................... 31
5.7.1 ANALYSIS ................................................................................ 31

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 3
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________
5.7.2 AFFECTED AREA........................................................................ 31
5.7.3 IMPACT ................................................................................... 31
5.7.4 LIKELIHOOD............................................................................. 31
5.7.5 EVIDENCE ................................................................................ 32
5.7.6 RECOMMENDATION ................................................................... 32
5.8 WEAK PASSWORD POLICY ............................................................... 33
5.8.1 ANALYSIS ................................................................................ 33
5.8.2 AFFECTED AREA........................................................................ 33
5.8.3 IMPACT ................................................................................... 33
5.8.4 LIKELIHOOD............................................................................. 33
5.8.5 EVIDENCE ................................................................................ 33
5.8.6 RECOMMENDATION ................................................................... 33
6 OBSERVATION AND RECOMMENDATIONS ................................................ 34

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 4
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

DOCUMENT INFORMATION

Document Information
Company ABC TELCO
Project Name External Penetration Test (Grey Box)
Document Title External Penetration Test Report
Author Danish Ali
Reviewer ------
Classification Confidential
No. of Pages 34

Recipient Information
Name Designation Contact
ABC Manager Web Technologies [email protected]

Document History
Date Version Name Details
30 OCT 2019 1.0 Danish Ali Initial Report

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 5
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

PAGE IS LEFT BLANK INTENTIONALY

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 6
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

Part I

WEB APP PENETRATION TEST

2 EXECUTIVE SUMMARY
ABC TELCO performed the Gray box WEB APP penetration test in order to determine
whether the ABC TELCO application is susceptible to any weakness, which could have
adverse effects on the organization’s operations. All the activities performed in a manner
that simulate a malicious actor engaged in a targeted attack against the ABC TELCO
Application with the goals of:
• Identifying if a remote attacker could penetrate ABC TELCO’s defenses

• Determining the impact of a security breach on:

– Confidentiality of the company’s private data

– Infrastructure and availability of ABC TELCO’s information systems

To enhance the security posture of the ABC TELCO application, ABC TELCO performed an
external WEB APP penetration testing of application that mimics the actions of an actual
attacker.

The exercise concluded in highlighting weaknesses, providing remedial steps for vulnerable
entities discovered.
The project is completed during the following time-line.

Project Start Date End Date

Web Application Penetration Test 21 OCT 2019 30 OCT 2019

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 7
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

2.1 APPROACH
ABC TELCO Security Team executed a comprehensive vulnerability assessment,
vulnerability confirmation exploitation of weakened services, client side attacks and browser
side attacks (etc).

Determining the impact of a security breach on:

– The integrity of the ABC TELCO’s website

– The confidentiality of the ABC TELCO’s website information

– The availability of ABC TELCO’s website

The purpose of this assessment was to verify the effectiveness of the security controls put
in place for ABC TELCO application to secure business-critical information. This report
having findings which are derived from the assessment and the related recommendations
to help ABC TELCO application to strengthen its security position.

2.2 SCOPE OF WORK

This security assessment covers the WEB APP penetration testing of ABC TELCO application.
The assessment was carried out from a Gray box perspective, with the only supplied
information being the tested on ABC TELCO’s website. No other information was assumed at
the start of the assessment.

As a result of the engagement, we managed to find some high level vulnerabilities, which
confirmed that the security posture of the ABC TELCO’s application still need to be improved.
The overall risk associated with ABC TELCO’s application is average. It is reasonable to believe
that a malicious attacker would be able to successfully execute an attack against ABC TELCO
application through targeted attacks. The report also contains detailed explanation about
every vulnerability found along with the detail countermeasures to fix those vulnerabilities.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 8
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

2.3 ENGAGEMENT HIGHLIGHTS

The scope of WEB APP penetration testing was Gray box. The assessment was to analyze
the security posture of the network by identifying any vulnerabilities in the network and
suggest countermeasures for all the findings requiring remediation.

After the detailed assessment, 9 unique vulnerabilities were found on the ABC TELCO
application. Following domain/IP address are included in the scope of engagement.

# Item WEB APP Address

1. ABC TELCO Test https://abc.telco.net.us
APPS

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 9
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

2.4 ABC TELCO APPLICATION IN TERMS OF SECURITY POSTURE

The increasing number of serious security breaches announced in the press reminds us
every day of the financial and non-financial consequence the organization could endure in
case of a successful attack. New business and regulatory requirements, recent trends and
the increasing sophistication of cyber attackers makes this process further exacerbated.
Therefore, evaluating the security posture of the web application, which the organization
possesses, is the key for today’s organizations to survive in this competitive market.

Performing such activities not only allows the organization to protect the confidentiality,
integrity and availability of data, but also helpful in recognizing current strengths, current
trends, areas of improvement, ultimately helping the organization in attaining the
benchmark security.
Based on our experience, the security posture of the ABC TELCO application is average.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 10
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

3 METHODOLOGY EMPLOYED
Our testing methodology not only results in a thorough test of the entire target environment,
but also a detailed deliverable with both tactical and strategic recommendations. These
recommendations are both actionable and advisory in nature, while all along correlated to
our client’s business goals. We have designed a hybrid framework comprised of three of
the most widely used industry standards for Security testing namely Open Web Application
Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM)
and Information System Security Assessment Framework (ISSAF). The framework is
further customized in accordance with the client’s information systems. Our approach is
depicted in the diagram.

ABC TELCO followed the penetration test approach of the OSSTMM, OWASP and it was
carried out using a five-phase methodology as shown in the figure below:

Figure 1: Methodology Employed

3.1 PLANNING

ABC TELCO performed the penetration test according the scope of engagement, which is
Gray Box.

3.2 RECONNAISSANCE

Reconnaissance activity falls under the non-intrusive category of the exercise being
performed. To congregate maximum information, for analysis of objective targets, various
techniques are employed. The primary activities include network trolling, querying various
public repositories (WHOIS, Mailing lists, Usenet groups etc.)

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 11
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

3.3 VULNERABILITY ASSESSMENT

The Vulnerability scanning and enumeration phase comprises of identifying live systems,
identification of open / filtered ports, corresponding services, foot printing router / firewall
rules, Classifying Operating System details etc.

3.4 RISK AND ATTACK FACTOR ANALYSIS

The susceptibility scanning perform using first-rate tools such as Burp Suite and Acunetix.
Once the risks were found through the different scanner, it is verified and cross-referenced
through multiple techniques such as scripting, and network trolling in order to avoid false
positive results.

3.5 EXPLOITATION

Once testing is complete, the verification performed in the real environment to analyze
the attacking perimeters, and their consequences.

3.6 REPORTING

Subsequently, after the exhaustive testing, a thorough report is generated which detail the
remedial steps against weaknesses identified.
The core idea around our methodology is to organize and to iteratively test the target
environment from the most general components to the most specific. In a large complex
corporate environment, this is from the external network blocks presented to us at the
beginning of the engagement down to the specific security controls utilized by external
facing applications. The scope is the total possible operating security environment for any
interaction with any asset which may include the physical components of security
measures as well.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 12
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

3.7 TOOLS USED

Some tools used by our expert teams during penetration tests include, (but are in no
way limited to):

Tools Used
# Tool Description
1. Burpsuite Application assessment tool to proxy, spider, and scan for
application security issues.
2. Kali Linux Open-source security testing distribution that includes many
commonly used penetration testing tools used to identify and
exploit security issues.
3. Metasploit Exploitation framework to compile and execute exploit code.
4. NMAP Utility for network exploration or security auditing.
5. Nikto Web server scanner that tests Web servers for dangerous
files/CGIs, outdated server software and other problems.
6. OWASP ZAP Application assessment tools to spider, scan, and identify
application security issues.
7. Sqlmap Automates the process of detecting and exploiting SQL
Injection. This project can be downloaded from
http://sqlmap.org/.
8. Custom Scripts Custom python, perl, bash or other programming scripts.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 13
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

4 VULNERABILITY SUMMARY
4.1 RISK RATING

Risk Rating
High The risk of vulnerability is High as either it is considerably easy to
exploit or the gain/impact is high. This vulnerability should be fixed on
urgent basis. These vulnerabilities can pose a very significant security
threat. The vulnerability that have a critical impact are typically those
that would allow an attacker to gain full administrative access to the
device or identify conditions that do not immediately or directly result
in the compromise or unauthorized access of a network, system,
application or information, but do provide a capability or information
that could, in combination with other capabilities or information, result
in the compromise or unauthorized access of a network, system,
application or information
Medium The risk of vulnerability is medium as the ease of exploitation is
Moderate and the resulting impact is considerably Medium. These
vulnerabilities have significant limitations on the direct impact they
can cause. Typically these vulnerabilities would include significant
information leakage vulnerability, denial of service vulnerability or
those that provide significantly limited access.
Low These findings identify conditions that do not result in the com-
promise of a network, system, application, or information, but do
provide information that has been used to test out the systems,
server and devices to penetrate.
Informational These type of findings are for informational purpose only for example
they contain open ports, service enumeration etc.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 14
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

4.2 SUMMARY OF FINDINGS OF ABC TELCO TEST WEB APPLICATION

Category Description
External Vulnerability Assessment Summary
Total Number of Unique Vulnerabilities 9
High/Medium/Low/Informational 7 2 0 0

4.3 GRAPHICAL REPRESENTATION

7
7 Vulnerability by 0% 0%
Vulnerability by
6 Severity Severity
5
22%
4
3
2
2
1
0 0
0
78%
High
Medium Low
Info

Figure 2: Graphical Overview of Vulnerabilities

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 15
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

4.4 OWASP TOP 10 CHECKLIST

The OWASP highlights the most critical top ten vulnerabilities found in ABC TELCO
applications. ABC TELCO SOC team has conducted the web security assessment by testing
the existence of these potential WEB APP threats.

# OWASP CHECKLIST IMPACT STATUS

1. Injection flaws e.g. SQL, Data Loss or corruption 
BlindSQL
2. Broken Authentication Disclosure of confidential data 
Management
3. Cross Site Scripting (XSS) Untrusted code Execution 

4. Insecure Direct Object Exploitation leads to phishing ×

References attacks
5. Security Misconfiguration Sensitive Information Disclosure 

6. Sensitive Data Exposure Spam email attacks against users ×

7. Missing Function Level Access May lead to root level access ×

Control
8. Cross Site Request Forgery Exploitation Leading to client Side ×
(CSRF) Attack
9. Using Known Vulnerable May Lead to compromising of ×
Component Host
10. Invalid Redirects & Forwards Directory Exposure 

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 16
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

4.5 VULNERABILLITY SUMMARY AND BRIEF

# Vulnerability Severity Affected URLs

1. SQL Injection High http://staging.ABC TELCO.com.pk/ajax-
support-faq-posts

2. Broken Object Level High http://abctelco.net.us/shop/order/produ

authorization on cart of ct/?action=get_order_info
Android App
3. Broken Object Level High http://abctelco.net.us/shop/order/produ
authorization on Wishlist of ct/?action=get_order_info
Android App
4. Cross Site Scripting High http://staging.ABC TELCO.net.pk/login

5. Login Page Password High https://abctelco.net.us/login/user/?actio

BruteForce Attack n=login
6. Dictionary Attack on Auth High https://abctelco.net.us/login/user/passw
codes to reset password of any ord/?action=reset
user
7. Bypassing email account High http://abctelco.net.us/user/?action=regi
verification during user sign up ster
8. Username Enumeration Medium https://abctelco.net.us/login
9. Weak Password Policy Medium https://abctelco.net.us/login

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 17
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5 DETAIL FINDINGS
The following vulnerabilities were successfully exploited and evidences are gathered to
show the level of access.

5.1 SQL INJECTION

Severity HIGH

Type Injection

Applicable Platform Android Application

5.1.1 ANALYSIS

An SQL injection has been performed on a term_id parameter, which occurs when data
input by a user is interpreted as an SQL command rather than as normal data by the
backend database. This is an extremely common vulnerability and its successful
exploitation can have critical implications.

5.1.2 AFFECTED AREA

 http://staging.ABC TELCO.com.pk/ajax-support-faq-posts

5.1.3 IMPACT

Depending on the backend database, the database connection settings and the operating
system, an attacker can mount one or more of the following type of attacks successfully:
 Reading, updating and deleting arbitrary data or tables from the database
 Executing commands on the underlying operating system

5.1.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 18
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.1.5 EVIDENCE

Following are the screenshots which explain how SOC team was able to extract all data from
ABC TELCO staging server by exploiting the term_id parameter.

Figure 3: SQL injection commands

Database name and version can be seen in given image. Also, names of databases can be
seen as well.
All 183 tables of database “ABC TELCO_wp” were extracted. Following image shows
all tables.

Figure 4: Database name & version

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 19
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

Figure 6: usr_scm_account details

Figure 5: 183 tables of ABC TELCO_wp database

While pivoting, details of Table “usr_scm_account” were extracted. Given image

shows names of account holders, email accounts and account type.
5.1.6 RECOMMENDATION

A robust method for mitigating the threat of SQL injection based vulnerabilities is to
use parameterized queries (prepared statements). Almost all modern languages
provide built in libraries for this. Wherever possible, do not create dynamic SQL
queries or SQL queries with string concatenation.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 20
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.2 BROKEN OBJECT LEVEL AUTHORIZATION ON CART OF ANDROID APP

Severity HIGH

Type Broken Object Level Authorization

Applicable Platform Android Application

5.2.1 ANALYSIS

After login, SESSION ID is the only information server uses to differentiate between valid
users and invalid ones. This app does not use SESSION IDs on a number of critical pages.
An attacker can see details of anyone’s cart by guessing Shp_ord_id parameter.

5.2.2 AFFECTED AREA

 http://abctelco.net.us/shop/order/product/?action=get_order_info

5.2.3 IMPACT

An attacker does not even have to login to see cart of any user because there is no session
id present with the request. The application is not able to differentiate between a valid and
invalid user.
This application does not use SESSION IDs with HTTP Requests. SESSION ID is the only
information server uses to differentiate between valid and invalid requests. In case session
ID is missing, application becomes unable to serve only valid users. Users authorized pages
can be seen without authenticating to the application.
5.2.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 21
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.2.5 EVIDENCE

As SESSION ID is not being used on “shop” page, an attacker can guess “shp_ord_id” by
brute force and see shopping cart of any user. A legit shp_ord_id has been assigned to our
user which is 3024.

Figure 7: Valid 3024 id assigned to my cart

After guessing shp_ord_id, we are able to see carts of other users. Only shp_ord_id needs
to be toggled to find carts of other legitimate users. Given image is the evidence .

Figure 8: Details of carts of other users

5.2.6 RECOMMENDATION

Session ID must be send with each request. A user should be limited to see only his cart.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 22
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.3 CROSS SITE SCRIPTING (REFLECTED)

Severity HIGH

Type Injection

Applicable Platform Web Application

5.3.1 ANALYSIS

The application does not implement input validation, which means that an attacker can
input malicious data.

5.3.2 IMPACT

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and
echoed into the application's immediate response in an unsafe way. An attacker can use the
vulnerability to construct a request that, if issued by another application user, will cause
JavaScript code supplied by the attacker to execute within the user's browser in the context
of that user's session with the application.

5.3.3 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

5.3.4 AFFECTED URLS

 http://staging.ABC TELCO.net.pk/login

5.3.5 EVIDENCE

Following figure displays XSS attack on staging.ABC TELCO web application.

Figure 9: XSS injection in Request

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 23
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

Given image shows how the inserted script executed successfully.

Figure 10: XSS Injection Response in Browser

5.3.6 RECOMMENDATION

In most situations where user-controllable data is copied into application responses, cross-
site scripting attacks can be prevented using two layers of defenses:

 Input should be validated as strictly as possible on arrival, given the kind of content
that it is expected to contain. For example, personal names should consist of
alphabetical and a small range of typographical characters, and be relatively short; a
year of birth should consist of exactly four numerals; email addresses should match a
well-defined regular expression. Input which fails the validation should be rejected,
not sanitized.
 User input should be HTML-encoded at any point where it is copied into application
responses. All HTML metacharacters, including < > " ' and =, should be replaced with
the corresponding HTML entities (&lt; &gt; etc).

In cases where the application's functionality allows users to author content using a restricted
subset of HTML tags and attributes (for example, blog comments which allow limited
formatting and linking), it is necessary to parse the supplied HTML to validate that it does not
use any dangerous syntax; this is a non-trivial task.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 24
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.4 LOGIN PAGE PASSWORD BRUTEFORCE ATTACK

Severity HIGH

Type Broken Authentication

Applicable Platform Android Application

5.4.1 ANALYSIS

The application does not implement any validation against password guessing attack. An
attacker can try unlimited no of passwords to crack the password of any valid user.

5.4.2 AFFECTED AREA

 https://abctelco.net.us/login/user/?action=login

5.4.3 IMPACT

A common threat Android Application developer’s face is a password-guessing attack

known as a brute force attack. A brute-force attack is an attempt to discover a password
by systematically trying every possible combination of letters, numbers, and symbols until
you discover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute
force attacks). It's recommended to implement some type of account lockout after a
defined number of incorrect password attempts.

5.4.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

5.4.5 EVIDENCE

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 25
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

Figure 11: Brute Force attack

5.4.6 RECOMMENDATION

Application must ask for insertion of CAPTCHA after 3 failed login attempts and lock
account for 15 minutes after 7 failed login attempts.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 26
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.5 Dictionary Attack ON AUTH CODES TO RESET PASSWORD OF ANY USER

Severity HIGH

Type Broken Authentication

Applicable Platform Android Application

5.5.1 ANALYSIS

The application does not implement any validation against dictionary attack of code sent
on email address to reset password. An attacker can try unlimited no of codes to crack the
code sent on any email account.

5.5.2 AFFECTED AREA

 https://abctelco.net.us/login /user/password/?action=reset

5.5.3 IMPACT

A common threat Android Application developer’s face is a code-guessing attack during

resetting password on a user. As there is no limit set to input code sent over email, an
attacker can try all possible codes. This way an attacker can reset password of any account
and login to the Touch mobile application. It's recommended to implement a defined
number of incorrect code attempts.

5.5.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 27
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.5.5 EVIDENCE

Figure 12: Brute force attack on Auth code

5.5.6 RECOMMENDATION

Application must limit insertion of code on 3 failed attempts.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 28
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.6 BYPASSING EMAIL ACCOUNT VERIFICATION DURING USER SIGNUP

Severity HIGH

Type Broken Authentication

Applicable Platform Android Application

5.6.1 ANALYSIS

The application does not implement any validation against dictionary attack of code sent
on email address of customer during User Signup Process. An attacker can try unlimited
no of codes to crack the code sent on any email account.

5.6.2 AFFECTED AREA

 http://abctelco.net.us/user/?action=register

5.6.3 IMPACT

A common threat Android Application developer’s face is a code-guessing attack during

verification of code sent on email of user while signing up first time. As there is no limit
set to input code sent over email, an attacker can try all possible codes. This way an
attacker can use account of anyone to login to the Touch mobile application. It's
recommended to implement a defined number of incorrect code attempts.

5.6.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is HIGH.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 29
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.6.5 EVIDENCE

Given image shows that we have cracked the authentication code on signup successfully of
a user. The code sent over email for verification was 6127.

Figure 13: Account Verified with cracked code

5.6.6 RECOMMENDATION

Application must limit insertion of code on 3 failed attempts.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 30
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.7 USERNAME ENUMERATION

Severity MEDIUM

Type Security Misconfiguration

Applicable Platform Android Application

5.7.1 ANALYSIS

User enumeration is when a malicious actor can use brute-force to either guess or confirm
valid users in a system.

5.7.2 AFFECTED AREA

 https://abctelco.net.us/login/user/?action=login

5.7.3 IMPACT

Once a list of validated usernames is created, the malicious actor can then perform another
round of brute-force testing, but this time against the passwords until access is finally
gained.

5.7.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is MODERATE.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 31
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.7.5 EVIDENCE

When user inputs wrong password for login, application shows “Enter Valid Password” error
message. Same message should appear in case of any one of username and password is
wrong.
#Evidence Image#

5.7.6 RECOMMENDATION

Web application must show “Invalid credentials” in case of any one of the field is wrong.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 32
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

5.8 WEAK PASSWORD POLICY

Severity MEDIUM

Type Security Misconfiguration

Applicable Platform Android Application

5.8.1 ANALYSIS

The application allows setting up a weak password. An attacker can guess a weak password
quite easily.

5.8.2 AFFECTED AREA

 https://abctelco.net.us/login /user/?action=login

5.8.3 IMPACT

A common threat Android Application developer’s face is a weak password policy. Possibly
of being compromised increases if weak passwords are allowed. Application must force
users to set up strong passwords.
5.8.4 LIKELIHOOD

Likelihood of the vulnerability to be exploited is MEDIUM.

5.8.5 EVIDENCE

Given image shows that Touch application has weak password policy. Application allows only
digits and letters for password setup which is insecure.

#Evience Image#
5.8.6 RECOMMENDATION

Application must ask users to use digits, symbols, cWeb Apptal and lower case letters in a
password. Minimum length of password should be 8 characters.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 33
 PENETRATION TEST REPORT – ABC TELCO
___________________________________________________________

6 OBSERVATION AND RECOMMENDATIONS

This analysis is based on the technologies and known threats as of the date of this report.
We recommend that all remedial countermeasures suggested in this report must be
implemented in order to ensure the overall security of the systems and network and proper
resource should be allocated to ensure that remediation efforts are accomplished in a
timely manner. Specifically, the following actions should be taken to mitigate high risk
vulnerabilities:

• Implement a patch management program as per the guideline outline in

NIST SP 800-40 is an important component in maintaining good security
posture.

• Security misconfiguration should be eliminated to enhance the application

security.

Please note that security auditing is an uncertain process, and tends to evolve with time.
The concerns addressed in the document are dependent on the scenario and the time
when the exercise was performed.
We make no undertaking to supplement or update this report on the basis of changed
circumstances or facts of which we become aware after the date hereof.

_________________________________________________________________________________
Copyright © ABC TELCO. All rights reserved. 34