Scribd
Upload
8 views

gKccGnAzQBiqnsjs0WZE_Week 1 Report Template

This penetration testing report details a Black Box security assessment of the Week 1 Labs, identifying vulnerabilities such as HTML Injection and Cross Site Scripting. The assessment found a total of 17 sub-labs with 4 high, 5 medium, and 8 low-risk vulnerabilities. Recommendations for mitigation include input validation, output encoding, and implementing a Content Security Policy.

Uploaded by

wehiwog307
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
8 views

gKccGnAzQBiqnsjs0WZE_Week 1 Report Template

This penetration testing report details a Black Box security assessment of the Week 1 Labs, identifying vulnerabilities such as HTML Injection and Cross Site Scripting. The assessment found a total of 17 sub-labs with 4 high, 5 medium, and 8 low-risk vulnerabilities. Recommendations for mitigation include input validation, output encoding, and implementing a Content Security Policy.

Uploaded by

wehiwog307
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Penetration Testing Report

Full Name:Suraj N S
Program: HCPT
Date:16/02/2025

Introduction
This report document hereby describes the proceedings and results of a Black Box security
assessment conducted against the Week 1 Labs. The report hereby lists the findings and
corresponding best practice mitigation actions and recommendations.

1. Objective
The objective of the assessment was to uncover vulnerabilities in the Week 1 Labs and
provide a final security assessment report comprising vulnerabilities, remediation strategy
and recommendation guidelines to help mitigate the identified vulnerabilities and risks
during the activity.

2. Scope
This section defines the scope and boundaries of the project.

Application HTML Injection, Cross Site Scripting


Name

3. Summary
Outlined is a Black Box Application Security assessment for the Week 1 Labs.

Total number of Sub-labs: 17 Sub-labs

High Medium Low

4 5 8

High - Number of Sub-labs with hard difficulty level

Medium - Number of Sub-labs with Medium difficulty level

Low - Number of Sub-labs with Easy difficulty level


1. HTML Injection Labs
1.1. HTML's are easy!
Reference Risk Rating
HTML’s Are Easy! Low
Tools Used
Browser
Vulnerability Description
Injecting a payload(<h1>Test</h1>) to test the vulnerability revealed that the search parameter
is susceptible to attacks.
How It Was Discovered
Manual Analysis
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_1/html_injection_1.php
Consequences of not Fixing the Issue
Data breaches and identity theft, as well as website defacement
Suggested Countermeasures
Implementing input validation, output encoding, a Content Security Policy (CSP), and
parameterized queries can help mitigate This vulnerabilities
References
https://vistainfosec.com/blog/comprehensive-guide-on-html-injection/
https://github.com/ogh-bnz/Html-injection-Bug-Bounty?tab=readme-ov-file

Proof of Concept

1.2. Let me Store them!


Reference Risk Rating
Let me Store them! Low
Tools Used
Browser
Vulnerability Description
When the attacker inputs "/><h1>Test</h1> in the First Name or Last Name field and
updates the profile, the application saves and renders it as raw HTML. This results in injecting
a <h1>Test</h1> tag into the webpage, modifying the UI and potentially enabling stored XSS
if scripts are injected.
How It Was Discovered
Manual Analysis
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_2/profile.php
Consequences of not Fixing the Issue
UI manipulation, stored XSS attacks, and phishing or data theft through malicious scripts.
Suggested Countermeasures
it is essential to validate and sanitize user input to remove any harmful HTML tags.
Additionally, implementing a strict Content Security Policy (CSP) and encoding output
properly can protect against the execution of malicious scripts.
References
URLs to the sources used to know more about this vulnerability

Proof of Concept

1.3. File Names are also vulnerable!


Reference Risk Rating
File Names are also vulnerable Low
Tools Used

Vulnerability Description
When the attacker inputs "/><h1>Test</h1> in the First Name or Last Name field and
updates the profile, the application saves and renders it as raw HTML. This results in injecting
a <h1>Test</h1> tag into the webpage, modifying the UI and potentially enabling stored XSS
if scripts are injected.
How It Was Discovered
Manual Analysis
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_2/profile.php
Consequences of not Fixing the Issue
UI manipulation, stored XSS attacks, and phishing or data theft through malicious scripts.
Suggested Countermeasures
it is essential to validate and sanitize user input to remove any harmful HTML tags.
Additionally, implementing a strict Content Security Policy (CSP) and encoding output
properly can protect against the execution of malicious scripts.
References
URLs to the sources used to know more about this vulnerability

2. {Lab 2 Name (if the week has 2 labs)}


2.1. {Sub-lab-1 Name}
Reference Risk Rating
{Sub-lab-1 Name} Low / Medium / High
Tools Used
Tools that you have used to find the vulnerability.
Vulnerability Description
About the vulnerability and its working
How It Was Discovered
Automated Tools / Manual Analysis
Vulnerable URLs
URLs of the vulnerable pages in the lab
Consequences of not Fixing the Issue
What will be the consequences if the vulnerability is not patched?
Suggested Countermeasures
Give some Suggestions to stand against this vulnerability
References
URLs to the sources used to know more about this vulnerability
Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab

2.2. {Sub-lab-2 Name}


Reference Risk Rating
{Sub-lab-2 Name} Low / Medium / High
Tools Used
Tools that you have used to find the vulnerability.
Vulnerability Description
About the vulnerability and its working
How It Was Discovered
Automated Tools / Manual Analysis
Vulnerable URLs
URLs of the vulnerable pages in the lab
Consequences of not Fixing the Issue
What will be the consequences if the vulnerability is not patched?
Suggested Countermeasures
Give some Suggestions to stand against this vulnerability
References
URLs to the sources used to know more about this vulnerability

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab

NOTES:

● Everything mentioned inside {} has to be changed based on your week, labs and
sub-labs.
● If you have 2 labs in same week you need to mention that, if not ignore those
mentions for lab 2.
● Here it is given with 2 Sub-labs vulnerability, you need to add all the sub-labs
based on your labs.
● Don’t forget to add the screenshot of the vulnerability in the proof of concept.
● Add only 1 screenshot in the Proof of Concept section.
● This NOTE session is only for your reference, don’t forget to delete this in the
report you submit.

You might also like