1 Executive Summary

The penetration testing of the testphp.vulnweb.com website identified several critical and high-severity
vulnerabilities that could pose a significant risk to the security of the site and its users.

1.1 Assessment Summary

The most severe vulnerabilities discovered were SQL Injection and File Inclusion vulnerabilities, which
could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the
server. Additionally, the website's outdated PHP version and weak password policy were also classified
as critical vulnerabilities that need to be addressed urgently.

The following table represents the penetration testing in-scope items and breaks down the issues, which
were identified and classified by severity of risk. (Note that this summary table does not include the
informational items):

Phase Description Critical High Medium Low Total

1 Web Penetration Testing 3 1 2 1 7

Total 3 1 2 1 7

The graphs below represent a summary of the total number of vulnerabilities found up until issuing this
current report:

Vulnerabilities 5
3

0 1 2 3 4 5 6

Critical High Medium Low

Strategic Recommendations
Overall, the testing process was effective in identifying the security weaknesses in the website, and the
results should be used to prioritize and address the Critical and High vulnerabilities to protect the site
and its users from potential attacks

1.2 Findings Overview

All the issues identified during the assessment are listed below with a brief description and risk rating for
each issue.

Ref Description Risk

SQLI-1-1 SQL Injection vulnerabilities CRITICAL

PHP-1-2 Outdated PHP version CRITICAL

WP-1-3 Weak Password CRITICAL

XSS-1-4 Cross-Site Scripting (XSS) vulnerabilities HIGH

SFD-1-5 Sensitive files disclosure MEDIUM

DID-1-6 Directory Index disclosure MEDIUM

ID-1-8 Personally Identifiable Information Disclosure LOW

2 Technical Details
2.1 SQL Injection vulnerabilities CRITICAL
Ref ID: SQLI-1-1
It has been discovered that the system is vulnerable to SQL injection attacks, which could allow a
malicious user to retrieve sensitive information such as usernames, passwords, and other confidential
data stored in the database. This poses a significant risk to the confidentiality and integrity of the
system's data, as well as the privacy of the users whose information may be exposed.
Vulnerability Details:
Affects: https:// http://testphp.vulnweb.com/listproducts.php?cat=1
Parameter(s) union select 1,2,3,4,5,6,group_concat(uname," ",pass," ",cc," ",address,
"__",email),8,9,10,11 from users

Finding vulnerable URLs

Evidence

A successful attack would consist in the following:

1. Identifying the vulnerable URL.
2. Injecting the SQL parameter’s “union select 1,2,3,4,5,6,group_concat(uname," ",pass," ",cc," ",address,
"__",email),8,9,10,11 from users” in our case.
Remediation Guidance:
1-Input Validation: Validate user input on the server-side. ensuring that any input received from the
user, such as form data or query parameters, is properly formatted and validated before being used in a
SQL query.

2-Parameterized Queries: Use parameterized queries to create SQL queries Instead of concatenating
user input directly into the SQL query.

3-Least Privilege: Database users should only have the minimum permissions necessary to perform
their specific tasks.
 2.2 Outdated PHP version CRITICAL
Ref ID: PHP-1-2
The system is currently running an older version of PHP (5.1.6) that’s vulnerable to security threats. As
a result, there is a risk that malicious actors may be able to exploit known vulnerabilities in the PHP
version to access sensitive data, compromise the application's stability, or even gain unauthorized
access to the system.

Vulnerability Details:
Affects: http://testphp.vulnweb.com/
Attack Vectors The possibility to gain access to multiple functionality in the website.

References: https://www.cvedetails.com/version/399025/PHP-PHP-5.1.6.html

Evidence
phpinfo.php in one of the URL (/secured) found by dribuster
(http://testphp.vulnweb.com/secured/phpinfo.php).

Multiple Vulnerability discovered in this version

A successful attack would consist in the following:

-Utilizing the information provided by cvedetails to do the different types of attacks.
Remediation Guidance:
1-Upgrade to the latest version: The most effective way to address vulnerabilities caused by outdated
PHP versions is to upgrade to the latest version of PHP.

2-Apply security patches: Applying security patches that have not been released for your version of
PHP.

3-Use a web application firewall (WAF): A WAF can provide an additional layer of security by monitoring
incoming traffic and blocking any requests that are deemed suspicious or potentially malicious.
 2.3 Weak Password CRITICAL
Ref ID: WP -1-3

The User have weak password, making it vulnerable to attacks by brute force. Weak passwords can be
easily guessed or cracked, providing unauthorized access to sensitive data stored on the system. This
poses a serious threat to the confidentiality and integrity of data, potentially resulting in compromised
user accounts, loss of critical information, and overall system instability.
As we found out before the password is very weak and found in almost all wordlists and cracking it
won’t take too much time.

Vulnerability Details:
Affects: http://testphp.vulnweb.com/login.php
Attack Vectors Users with weak passwords

Evidence

A successful attack would consist in the following:

-Using any brute force tools to test weak passwords(ex: burp suite).
Remediation Guidance:
1-Require strong passwords: Implement a password policy that requires users to create strong
passwords, with a minimum length of 12 characters, a combination of upper and lowercase letters,
numbers, and symbols.
2-Enforce password complexity: Configure the system to enforce password complexity rules, such as
disallowing commonly used passwords or requiring passwords to be changed regularly.
3-Use multi-factor authentication: Implement multi-factor authentication (MFA) to provide an additional
layer of security. MFA requires users to provide two or more authentication factors, such as a password
and a fingerprint or a one-time code sent to their phone.
2.4 Cross-Site Scripting (XSS) vulnerabilities
HIGH
Ref ID: XSS-1-4

the system is exposed to XSS attacks due to inadequate measures in input validation and output
encoding. This makes it possible for attackers to inject harmful scripts or code into the web pages.
Vulnerability Details:

Affects: http://testphp.vulnweb.com/search.php
http://testphp.vulnweb.com/guestbook.php
Parameter(s): <marquee onstart=alert(1)>XSS</marquee>

Request.:
As we can see we can use any XSS payload in the search bar

Evidence:

Remediation Guidance:
1-Input validation: Implement strict input validation policies to ensure that user input is sanitized and
free from any malicious code or script.
2-Output encoding: Encode output data using appropriate methods, such as HTML entity encoding or
JavaScript escaping, to prevent script injection.
3-Content Security Policy (CSP): Utilize a CSP to restrict the execution of untrusted scripts and to
mitigate the impact of any successful XSS attacks.
 2.5 Sensitive files disclosure
MEDIUM
Ref ID: SFD-1-5

It has been discovered that the system is vulnerable to sensitive files disclosure, which could allow an
unauthorized user to gain access to confidential information. This poses a significant risk to the privacy
and security of the system's data, as well as the individuals whose information may be exposed
Vulnerability Details:

Affects: http://testphp.vulnweb.com/admin/
http://testphp.vulnweb.com/CVS/Root
http://testphp.vulnweb.com/secured/phpinfo.php
References: https://github.com/v0re/dirb/blob/master/wordlists/common.txt

Request.:
We used burp suit to find Critical Files Disclosure

Evidnce:
Remediation Guidance:
1-Conduct a risk assessment: Conduct a thorough risk assessment to identify all sensitive files and
data -in the system, including where they are stored, who has access to them, and the potential risks
associated with them.
2-Implement access controls: Ensure that sensitive files are only accessible to authorized personnel
who require access to perform their job duties. Use role-based access controls to limit access to
sensitive files and data.
3-Use encryption: Implement encryption to protect sensitive files both at rest and in transit. This can
include encryption of file storage, database encryption, and encrypted file transfers.
2.6 Directory Index disclosure
MEDIUM
Ref ID: SFD-1-6
It has been identified that the system is susceptible to Directory Index disclosure, which could enable
an unauthorized user to access sensitive information such as system configuration files, source code,
and other critical data stored in the web server's directories.
Vulnerability Details:

Affects: http://testphp.vulnweb.com/Flash/
http://testphp.vulnweb.com/CVS/
http://testphp.vulnweb.com/.idea/
References: https://github.com/v0re/dirb/blob/master/wordlists/common.txt

Request.:
Same as before we used burp suit to find Directory Index Disclosure

Evidence:

Remediation Guidance:
1-Disable directory indexing: Disable directory indexing on the server to prevent sensitive information
from being exposed. This can be done by modifying the server configuration files or using web server
modules or plugins.
2-Implement access controls: Ensure that sensitive directories and files are only accessible to
authorized personnel who require access to perform their job duties. Use role-based access controls to
limit access to sensitive files and data.
2.7 Personally Identifiable Information Disclosure
MEDIUM
Ref ID: PIID-1-7

Information disclosure of personally identifiable information (PII) such as credit card numbers, addresses,
full names, and phone numbers can be a serious security threat that can lead to identity theft, financial
loss, and reputational damage.
Vulnerability Details:

Affects: http://testphp.vulnweb.com/Flash/
http://testphp.vulnweb.com/CVS/
http://testphp.vulnweb.com/.idea/
References: https://github.com/v0re/dirb/blob/master/wordlists/common.txt

Evidence:

Remediation Guidance:
1-Limit data retention: Implement policies to limit the retention of sensitive data to only what is
necessary for business purposes. This can reduce the amount of data that is at risk of being exposed in
the event of a security breach.
2-Conduct regular security audits: Regular security audits can help to identify vulnerabilities and
security gaps in the system. This can help to identify areas where information disclosure may occur.
3-Use data masking: Implement data masking techniques to hide sensitive information from
unauthorized users. This can include using techniques such as redaction or encryption to mask
sensitive data