Add to collection(s) Add to saved
  1. No category
Uploaded by sdsd

eCPPT Report Sample

advertisement 
eLearnSecurity
Professional
Penetration Testing
Report
Prepared By: Raghad Saleh Alkhalefah
Prepared For: XXX, LLC.
July 10th, 2020
eCPPT Report Sample | Raghad Alkhalefah
Table of Contents
1. Executive Summary .......................................................................................................... 3
2. Vulnerability Report .......................................................................................................... 6
Cross Site Scripting (XSS)......................................................................................................... 6
2.1.1 Reflected XSS ................................................................................................................................................................... 6
2.1.2 Stored XSS........................................................................................................................................................................ 6
SQL Injection .............................................................................................................................. 7
2.2.1 Blind SQLi (POST) .......................................................................................................................................................... 7
3. Remediation Report .......................................................................................................... 8
Appendix ................................................................................................................................. 9
References ............................................................................................................................ 10
2|Page
eCPPT Report Sample | Raghad Alkhalefah
1. Executive Summary
I have been engaged by XXX, LLC to undertake Black Box Penetration Test against the following
defined scope:
Web Server: x.x.x.x
Domain: xxx.com
Organization Network: x.x.x.x/23
Corporate Network: x.x.x.x/24
DMZ: x.x.x.x/24
The testing effort took place in DD/MM/YYYY and concluded in DD/MM/YYYY. During this period, the
target was analyzed and assessed using a combination of standard tools and utilities.
This Black Box assessment was performed to discover and identify any web application, network, and
system issues that could pose an information security risk, also to provide solutions to remedy these
same issues. This report aims to discuss the results from the assessment, from identifying vulnerabilities
to giving remediations.
Overall, I achieved the goals of the assessment and identified vulnerabilities in the target web application
within the given time frame.
This report will include list of findings during the assessment for which the details will be provided in the
vulnerability report section. Followed by the remediation report section which identifies some tips to
help with prioritizing and assignment of remediation efforts.
Phases of penetration testing activities:
• Planning – Customer goals are gathered, and rules of engagement obtained.
• Reconnaissance – A brief reconnaissance encompassing both active and passive techniques was
conducted to determine the breadth and depth of information available about the target network, with
particular emphasis on harvesting of potential usernames and information.
• Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and
exploits.
• Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon
new access.
• Reporting – Document all found vulnerabilities and exploits, and remediation tips to help the
organization overcome these weaknesses.
Goals:
Primary goal of this penetration test is to validate that the appropriate security measures have been
implemented by XXX company at the various layers of the portal to mitigate malicious activity
occurring.
Secondary Goals includes:
To provide assurance to XXX company and their customers, that the web application and other
services are adequately protected against unauthorized access to information.
To achieve a high standard security posture and to identify all potential risks with the web application
and other services.
3|Page
eCPPT Report Sample | Raghad Alkhalefah
Severity Levels
There are number of commonly used schemes for rating vulnerability severity. however, many of them
are rigid and do not consider context. While this has value, our own experience has shown that context
matters very much in rating the true significance of any security fault.
5 severity levels are used in reporting security faults:
CRITICAL
HIGH
MEDIUM
LOW
INFORMATIONAL
The fault puts the application or system at imminent and substantial risk.
These faults require immediate attention. These faults are severe and
easily discovered by attackers. They are immediately exploitable
without combination with any other fault or may require combination
with another fault that has already been observed in the application or
system under test. This rating also includes information disclosure where
the information itself is confidential or of very high value to an attacker.
Faults that could lead to compromise but are not easily discovered, or
require significant time or unusual skill to exploit, or are serious but
more limited in impact than a CRITICAL fault. These faults are
immediately exploitable without combination with any other fault or
require combination with another fault that has already been observed in
the application or system under test.
Faults that, in the opinion of our security engineer could lead to
compromise, but are difficult to detect, difficult to exploit, are limited in
impact or require combination with at least one other fault to be
successfully exploited or social engineering techniques.
Faults that could aid in developing other attacks, or faults that if
exploited would have limited impact. These faults also include
information disclosure that may be helpful to an attacker but is of
relatively low perceived value.
This severity level is used when our security engineer obtains results
that you should know about, but may or may not represent any specific
security issue.
4|Page
eCPPT Report Sample | Raghad Alkhalefah
Vulnerabilities By Impact
The following chart discusses the details of what kind of impact, exploited vulnerabilities founded within
the target scope:
Chart Title
5
4
3
2
1
0
Web Server Network
Critical
Organization/Corporate
Network
High
Medium
Low
DMZ Network
Informational
List of Findings
The following list is a summary of items requiring remediation:
1
2
3
4
Description
Impact Rating
Page Ref
Cross Site Scripting (XSS)
SQL Injection
High
High
Low
Medium
7
11
Recommendations
We strongly recommend that XXX, LLC does not disregard the findings encountered in this report. If
these vulnerabilities/recommendations are dealt with and fixed, the organization will find that the
defense-in-depth posture of the system will improve substantially. We also recommend that in line with
good security practice, XXX, LLC conducts periodic re-testing to ensure that neither intentional nor
inadvertent changes have compromised their systems, and that new vulnerabilities have not become a
threat to them.
5|Page
eCPPT Report Sample | Raghad Alkhalefah
2. Vulnerability Report
Web Server (x.x.x.x)
In performing a detailed web application penetration test against XXX.com, I have identified several
issues of concern. In the beginning, I started with network scanning against x.x.x.x and discovered the
following open ports:
[PICTURE]
I then moved to each of them to start testing!
2.1
Cross Site Scripting (XSS)
Brief Description
References to classification
Vulnerability ID
Risk
Affected Target
High
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted
websites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a
browser side script, to a different end user. Flaws that allow these
attacks to succeed are quite widespread and occur anywhere a web
application uses input from a user within the output it generates
without validating or encoding it.
OWASP.org
CVE-2020-9524
Able to send a malicious script to an unsuspecting user. The end
user’s browser has no way to know that the script should not be
trusted and will execute the script.
2.1.1 Reflected XSS
xxxxxx
Exploitation Proof of Concept
[PICTURES WITH DESCRIPTION]
2.1.2 Stored XSS
Affected Target
xxxxxx
Exploitation Proof of Concept
[PICTURES WITH DESCRIPTION]
6|Page
eCPPT Report Sample | Raghad Alkhalefah
2.2
SQL Injection
Brief Description
References to classification
Vulnerability ID
Risk
Affected Target
High
A SQL injection attack consists of insertion or “injection” of a SQL
query via the input data from the client to the application. A
successful SQL injection exploit can read sensitive data from the
database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the
DBMS), recover the content of a given file present on the DBMS file
system and in some cases issue commands to the operating system.
SQL injection attacks are a type of injection attack, in which SQL
commands are injected into data-plane input in order to effect the
execution of predefined SQL commands
OWASP.org
CVE-2020-9521
Able to dumb database content and tables.
2.2.1 Blind SQLi
xxxxxx
Exploitation Proof of Concept
[PICTURES WITH DESCRIPTION]
7|Page
eCPPT Report Sample | Raghad Alkhalefah
3. Remediation Report
Vulnerability
#1 Cross Site Scripting (XSS)
•
Action
Use HTTPOnly cookie flag: Preventing all XSS flaws in an application
is hard, as you can see. To help mitigate the impact of an XSS flaw on your
site, OWASP also recommends you set the HTTPOnly flag on your session
cookie and any custom cookies you have that are not accessed by any
JavaScript you wrote. This cookie flag is typically on by default in .NET
apps, but in other languages you have to set it manually.
… etc
Vulnerability
#2 SQL Injection
•
Action
Prepared Statements (with Parameterized Queries): Ensure that
prepared statements or other mechanism that enables parameter binding
is used when accessing the database in a way that would prevent the
attackers' supplied data from controlling the structure of the executed
query.
… etc
8|Page
eCPPT Report Sample | Raghad Alkhalefah
Appendix
Host (IP)
Open
Ports
Services
Obtained
Access?
Vulnerabilities
Exploited
x.x.x.x
X, X
xxxxx
Yes
xxx, xxxx, xxxxx
9|Page
eCPPT Report Sample | Raghad Alkhalefah
References
https://www.kb.cert.org/vuls/id/520827/
https://access.redhat.com/security/cve/cve-2016-5195
https://www.ncua.gov/newsroom/ncua-report/2017/protect-your-systems-against-eternalbluevulnerability
https://portswigger.net/web-security/os-command-injection
https://cve.mitre.org/
https://cwe.mitre.org/
http://capec.mitre.org/
https://nvd.nist.gov/
https://owasp.org/
10 | P a g e
Related documents
Defending against We..
Defending against We..
Powerpoint Slides
Powerpoint Slides
Web Security * Everything we know is wrong.
Web Security * Everything we know is wrong.
Web Application Security Seminar - AppCheck-NG
Web Application Security Seminar - AppCheck-NG
Web Security – Everything we know is wrong.
Web Security – Everything we know is wrong.
Stress/Fault Relationships
Stress/Fault Relationships
Damn Vulnerable web application
Damn Vulnerable web application
Download
advertisement
Study collections